From 08e29d4ee0a1faae72a759696b1b733a3142f7c7 Mon Sep 17 00:00:00 2001
From: Nicola Murino <nicola.murino@gmail.com>
Date: Fri, 16 Dec 2022 19:14:56 +0100
Subject: [PATCH] respect token validation mode for CSRF header

Fixes #1104

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
---
 internal/httpd/middleware.go | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/internal/httpd/middleware.go b/internal/httpd/middleware.go
index d2c10efa..136e2a90 100644
--- a/internal/httpd/middleware.go
+++ b/internal/httpd/middleware.go
@@ -299,10 +299,12 @@ func verifyCSRFHeader(next http.Handler) http.Handler {
 			return
 		}
 
-		if !util.Contains(token.Audience(), util.GetIPFromRemoteAddress(r.RemoteAddr)) {
-			logger.Debug(logSender, "", "error validating CSRF header IP audience")
-			sendAPIResponse(w, r, errors.New("the token is not valid"), "", http.StatusForbidden)
-			return
+		if tokenValidationMode != tokenValidationNoIPMatch {
+			if !util.Contains(token.Audience(), util.GetIPFromRemoteAddress(r.RemoteAddr)) {
+				logger.Debug(logSender, "", "error validating CSRF header IP audience")
+				sendAPIResponse(w, r, errors.New("the token is not valid"), "", http.StatusForbidden)
+				return
+			}
 		}
 
 		next.ServeHTTP(w, r)