From fe57897e8e166030fb66160349dfa213f749cf57 Mon Sep 17 00:00:00 2001
From: Antonin Delpeuch <antonin@delpeuch.eu>
Date: Wed, 25 Dec 2019 11:02:19 +0100
Subject: [PATCH] Fix Wikidata login CSRF issue. Closes #2228.

---
 .../org/openrefine/wikidata/commands/LoginCommand.java    | 8 ++++++--
 .../openrefine/wikidata/commands/LoginCommandTest.java    | 6 ++++++
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/extensions/wikidata/src/org/openrefine/wikidata/commands/LoginCommand.java b/extensions/wikidata/src/org/openrefine/wikidata/commands/LoginCommand.java
index cc3330934..2983588e6 100644
--- a/extensions/wikidata/src/org/openrefine/wikidata/commands/LoginCommand.java
+++ b/extensions/wikidata/src/org/openrefine/wikidata/commands/LoginCommand.java
@@ -45,7 +45,11 @@ public class LoginCommand extends Command {
     		respondCSRFError(response);
     		return;
     	}
-    	
+    	respond(request, response);
+    }
+    
+    protected void respond(HttpServletRequest request, HttpServletResponse response)
+    	throws ServletException, IOException {
         String username = request.getParameter("wb-username");
         String password = request.getParameter("wb-password");
         String remember = request.getParameter("remember-credentials");
@@ -74,6 +78,6 @@ public class LoginCommand extends Command {
     @Override
     public void doGet(HttpServletRequest request, HttpServletResponse response)
             throws ServletException, IOException {
-        doPost(request, response);
+        respond(request, response);
     }
 }
diff --git a/extensions/wikidata/tests/src/org/openrefine/wikidata/commands/LoginCommandTest.java b/extensions/wikidata/tests/src/org/openrefine/wikidata/commands/LoginCommandTest.java
index 6e1b16b2f..330060650 100644
--- a/extensions/wikidata/tests/src/org/openrefine/wikidata/commands/LoginCommandTest.java
+++ b/extensions/wikidata/tests/src/org/openrefine/wikidata/commands/LoginCommandTest.java
@@ -34,4 +34,10 @@ public class LoginCommandTest extends CommandTest {
     	command.doPost(request, response);
     	TestUtils.assertEqualAsJson("{\"code\":\"error\",\"message\":\"Missing or invalid csrf_token parameter\"}", writer.toString());
     }
+    
+    @Test
+    public void testGetNotCsrfProtected() throws ServletException, IOException {
+    	command.doGet(request, response);
+    	TestUtils.assertEqualAsJson("{\"logged_in\":false,\"username\":null}", writer.toString());
+    }
 }