From dd8bd15a76450f69202d68759f3709190fa353f8 Mon Sep 17 00:00:00 2001
From: Dan Milne <d@nmilne.com>
Date: Fri, 2 Jan 2026 15:29:34 +1100
Subject: [PATCH] CSRF issue with API endpoint

---
 app/controllers/oidc_controller.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/controllers/oidc_controller.rb b/app/controllers/oidc_controller.rb
index e774a92..5488c20 100644
--- a/app/controllers/oidc_controller.rb
+++ b/app/controllers/oidc_controller.rb
@@ -1,7 +1,7 @@
 class OidcController < ApplicationController
   # Discovery and JWKS endpoints are public
   allow_unauthenticated_access only: [:discovery, :jwks, :token, :revoke, :userinfo, :logout]
-  skip_before_action :verify_authenticity_token, only: [:token, :revoke, :logout]
+  skip_before_action :verify_authenticity_token, only: [:token, :revoke, :userinfo, :logout]
 
   # Rate limiting to prevent brute force and abuse
   rate_limit to: 60, within: 1.minute, only: [:token, :revoke], with: -> {