[ROMM-1505] Skip CSRF checks when request has Authorization header

backend/endpoints/rom.py

@@ -389,8 +389,8 @@ async def update_rom(
         )
 
     cleaned_data = {
-        "igdb_id": data.get("igdb_id", None),
-        "moby_id": data.get("moby_id", None),
+        "igdb_id": data.get("igdb_id", rom.igdb_id),
+        "moby_id": data.get("moby_id", rom.moby_id),
     }
 
     if (

backend/handler/auth/middleware.py

@@ -5,17 +5,26 @@
 from joserfc.errors import BadSignatureError
 from joserfc.jwk import OctKey
 from starlette.datastructures import MutableHeaders, Secret
-from starlette.requests import HTTPConnection
+from starlette.requests import HTTPConnection, Request
 from starlette.types import ASGIApp, Message, Receive, Scope, Send
 from starlette_csrf.middleware import CSRFMiddleware
 
 
 class CustomCSRFMiddleware(CSRFMiddleware):
     async def __call__(self, scope: Scope, receive: Receive, send: Send) -> None:
+        # Skip CSRF check if not an HTTP request, like websockets
         if scope["type"] != "http":
             await self.app(scope, receive, send)
             return
 
+        request = Request(scope, receive)
+
+        # Skip CSRF check if Authorization header is present
+        auth_scheme = request.headers.get("Authorization", "").split(" ", 1)[0].lower()
+        if auth_scheme == "bearer" or auth_scheme == "basic":
+            await self.app(scope, receive, send)
+            return
+
         await super().__call__(scope, receive, send)