From cecbfcfa4abae73aa635453d92b2c41c077950bb Mon Sep 17 00:00:00 2001
From: John Niang <johnniang@foxmail.com>
Date: Sat, 12 Oct 2024 12:15:09 +0800
Subject: [PATCH] Disable CSRF protection for actuator endpoints (#6830)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

#### What type of PR is this?

/kind bug
/area core
/milestone 2.20.x

#### What this PR does / why we need it:

This PR disables CSRF protection for actuator endpoints because they are not state-changing operations.

#### Which issue(s) this PR fixes:

Fixes #6827

#### Special notes for your reviewer:

Try to restore Halo.

#### Does this PR introduce a user-facing change?

```release-note
修复恢复备份后无法自动重启的问题
```
---
 .../main/java/run/halo/app/security/CsrfConfigurer.java   | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/application/src/main/java/run/halo/app/security/CsrfConfigurer.java b/application/src/main/java/run/halo/app/security/CsrfConfigurer.java
index 229050cfb..75d37cb20 100644
--- a/application/src/main/java/run/halo/app/security/CsrfConfigurer.java
+++ b/application/src/main/java/run/halo/app/security/CsrfConfigurer.java
@@ -18,8 +18,12 @@ class CsrfConfigurer implements SecurityConfigurer {
     public void configure(ServerHttpSecurity http) {
         var csrfMatcher = new AndServerWebExchangeMatcher(
             CsrfWebFilter.DEFAULT_CSRF_MATCHER,
-            new NegatedServerWebExchangeMatcher(
-                pathMatchers("/api/**", "/apis/**", "/system/setup"))
+            new NegatedServerWebExchangeMatcher(pathMatchers(
+                "/api/**",
+                "/apis/**",
+                "/actuator/**",
+                "/system/setup"
+            ))
         );
         http.csrf(csrfSpec -> csrfSpec
             .csrfTokenRepository(new CookieServerCsrfTokenRepository())