From 59470197c296cf2a3cdb0acd3cdd120409b4dd32 Mon Sep 17 00:00:00 2001
From: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Date: Tue, 20 Feb 2024 14:31:04 +0100
Subject: [PATCH] Bug 36102: If CSRF check fails, try with anonymous

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
---
 Koha/Token.pm | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/Koha/Token.pm b/Koha/Token.pm
index 2c0817a26d..4a806b0e37 100644
--- a/Koha/Token.pm
+++ b/Koha/Token.pm
@@ -182,7 +182,15 @@ sub check_csrf {
     my ( $self, $params ) = @_;
     return if !$params->{session_id};
     $params = _add_default_csrf_params( $params );
-    return $self->check({ %$params, type => 'CSRF' });
+    my $c = $self->check({ %$params, type => 'CSRF' });
+
+    unless ( $c ) {
+        # If the check failed we need to test with the "anonymous" in case the token was generating without the user being logged in yet.
+        $params->{id} = DEFA_SESSION_USERID . '_' . $params->{session_id};
+        $c = $self->check({ %$params, type => 'CSRF' });
+    }
+
+    return $c;
 }
 
 =head2 check_jwt
-- 
2.39.5