From be556ef17b71bf30c95a4622fa1a792e04887b19 Mon Sep 17 00:00:00 2001
From: Wolftallemo <72576136+Wolftallemo@users.noreply.github.com>
Date: Mon, 13 Jun 2022 10:36:45 -0400
Subject: [PATCH] FIX: Skip CSRF token check on webhook routes (#16982)

The `WebhookController` inherits directly from `ActionController::Base`. Since Rails 5.2, forgery protection has been enabled by default. When we applied those new defaults in 0403a8633bdedfe497ec3e2fe5d03e17940d6f16, it took effect on this controller and broke integrations.

This commit explicitly disables CSRF protection on these webhook routes, and updates the specs so they'll catch this kind of regression in future.
---
 app/controllers/webhooks_controller.rb    | 1 +
 spec/requests/webhooks_controller_spec.rb | 5 +++++
 2 files changed, 6 insertions(+)

diff --git a/app/controllers/webhooks_controller.rb b/app/controllers/webhooks_controller.rb
index 81f4a5d092..e80dd92c66 100644
--- a/app/controllers/webhooks_controller.rb
+++ b/app/controllers/webhooks_controller.rb
@@ -3,6 +3,7 @@
 require "openssl"
 
 class WebhooksController < ActionController::Base
+  skip_before_action :verify_authenticity_token
 
   def mailgun
     return mailgun_failure if SiteSetting.mailgun_api_key.blank?
diff --git a/spec/requests/webhooks_controller_spec.rb b/spec/requests/webhooks_controller_spec.rb
index 7100948a80..58e439ff1e 100644
--- a/spec/requests/webhooks_controller_spec.rb
+++ b/spec/requests/webhooks_controller_spec.rb
@@ -15,6 +15,11 @@ describe WebhooksController do
 
     before do
       SiteSetting.mailgun_api_key = "key-8221462f0c915af3f6f2e2df7aa5a493"
+      ActionController::Base.allow_forgery_protection = true # Ensure the endpoint works, even with CSRF protection generally enabled
+    end
+
+    after do
+      ActionController::Base.allow_forgery_protection = false
     end
 
     it "works (deprecated)" do