From 2a425c9ae759136898f76448dbd2b93603c4929c Mon Sep 17 00:00:00 2001
From: Chad Whitacre <chad@zetaweb.com>
Date: Sat, 12 Nov 2016 13:26:39 -0800
Subject: [PATCH] We don't have /callbacks/ anymore

---
 gratipay/security/csrf.py      | 7 +------
 tests/py/test_security_csrf.py | 3 +++
 2 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/gratipay/security/csrf.py b/gratipay/security/csrf.py
index 247285b1cf..cce453a718 100644
--- a/gratipay/security/csrf.py
+++ b/gratipay/security/csrf.py
@@ -36,9 +36,8 @@ def extract_token_from_cookie(request):
         token = _sanitize_token(token)
 
     # Don't set a CSRF cookie on assets, to avoid busting the cache.
-    # Don't set it on callbacks, because we don't need it there.
 
-    if request.path.raw.startswith('/assets/') or request.path.raw.startswith('/callbacks/'):
+    if request.path.raw.startswith('/assets/'):
         token = None
     else:
         token = token or _get_new_token()
@@ -50,10 +49,6 @@ def reject_forgeries(request, csrf_token):
     # Assume that anything not defined as 'safe' by RC2616 needs protection.
     if request.line.method not in ('GET', 'HEAD', 'OPTIONS', 'TRACE'):
 
-        # But for webhooks we depend on IP filtering for security.
-        if request.line.uri.startswith('/callbacks/'):
-            return
-
         # Check non-cookie token for match.
         second_token = ""
         if request.line.method == "POST":
diff --git a/tests/py/test_security_csrf.py b/tests/py/test_security_csrf.py
index 87dde53ad4..bcd4a620c4 100644
--- a/tests/py/test_security_csrf.py
+++ b/tests/py/test_security_csrf.py
@@ -47,3 +47,6 @@ def test_csrf_cookie_set_for_most_requests(self):
     def test_no_csrf_cookie_set_for_assets(self):
         r = self.client.GET('/assets/gratipay.css')
         assert b'csrf_token' not in r.headers.cookie
+
+    def test_that_missing_csrf_doesnt_confuse_whatever(self):
+        pass