From 2cc4dfc057b945c88b8231dc948761fd83f5ebe4 Mon Sep 17 00:00:00 2001
From: selfhoster1312 <selfhoster1312@kl.netlib.re>
Date: Mon, 14 Aug 2023 15:44:28 +0200
Subject: [PATCH] Bypass CSRF protection for the /yunohost/portalapi/login
 route Allowing login from simple HTML form

---
 moulinette/interfaces/api.py | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/moulinette/interfaces/api.py b/moulinette/interfaces/api.py
index ac632ec0..233a8d5f 100644
--- a/moulinette/interfaces/api.py
+++ b/moulinette/interfaces/api.py
@@ -272,7 +272,7 @@ class _ActionsMapPlugin:
             name="login",
             method="POST",
             callback=self.login,
-            skip=["actionsmap"],
+            skip=[filter_csrf, "actionsmap"],
         )
         app.route(
             "/logout",
@@ -362,9 +362,12 @@ class _ActionsMapPlugin:
             credentials = request.json["credentials"]
             profile = request.json.get("profile", self.actionsmap.default_authentication)
         else:
-            if "credentials" not in request.params:
+            if "credentials" in request.params:
+                credentials = request.params["credentials"]
+            else:
+                if "username" in request.params and "password" in request.params:
+                    credentials = request.params["username"] + ":" + request.params["password"]
                 raise HTTPResponse("Missing credentials parameter", 400)
-            credentials = request.params["credentials"]
 
             profile = request.params.get("profile", self.actionsmap.default_authentication)