LPS-203432 Pass along Cross-Site Request Forgery token in header, for cases where locally-executed REST calls are required. This prevents the regression from LPS-203799 from occurring, while resolving the originally scoped issue from LPS-203432.

ChrisKian · brianchandotcom · commit bc6138ce1be2 · 2024-01-18T04:34:50.000+09:00
diff --git a/modules/apps/portal-vulcan/portal-vulcan-impl/src/main/java/com/liferay/portal/vulcan/internal/template/servlet/RESTClientHttpRequest.java b/modules/apps/portal-vulcan/portal-vulcan-impl/src/main/java/com/liferay/portal/vulcan/internal/template/servlet/RESTClientHttpRequest.java
@@ -7,6 +7,7 @@
 
 import com.liferay.portal.kernel.servlet.HttpHeaders;
 import com.liferay.portal.kernel.servlet.HttpMethods;
+import com.liferay.portal.kernel.servlet.PortalSessionThreadLocal;
 import com.liferay.portal.kernel.util.ContentTypes;
 import com.liferay.portal.kernel.util.HashMapBuilder;
 import com.liferay.portal.kernel.util.PortalUtil;
@@ -68,6 +69,19 @@ public RESTClientHttpRequest(
 
 				return locale.toLanguageTag();
 			}
+		).put(
+			"X-CSRF-Token",
+			() -> {
+				HttpSession httpSession =
+					PortalSessionThreadLocal.getHttpSession();
+
+				if (httpSession != null) {
+					return (String)httpSession.getAttribute(
+						WebKeys.AUTHENTICATION_TOKEN + "#CSRF");
+				}
+
+				return null;
+			}
 		).build();
 		_httpServletRequest = httpServletRequest;
 	}
