Fix #5226 by adding CSRF checking to api reqToken and add CSRF to the POST header for deadline (#5250)

* Add CSRF checking to reqToken and place CSRF in the post for deadline creation

Fixes #5226, #5249

* /api/v1/admin/users routes should have reqToken middleware

1 files changed, 5 insertions, 5 deletions

diff --git a/integrations/api_admin_test.go b/integrations/api_admin_test.go
index 690edad757..b8dded9c11 100644
--- a/integrations/api_admin_test.go
+++ b/integrations/api_admin_test.go
@@ -39,8 +39,8 @@ func TestAPIAdminCreateAndDeleteSSHKey(t *testing.T) {
 		OwnerID:     keyOwner.ID,
 	})
 
-	req = NewRequestf(t, "DELETE", "/api/v1/admin/users/%s/keys/%d?token="+token,
-		keyOwner.Name, newPublicKey.ID)
+	req = NewRequestf(t, "DELETE", "/api/v1/admin/users/%s/keys/%d?token=%s",
+		keyOwner.Name, newPublicKey.ID, token)
 	session.MakeRequest(t, req, http.StatusNoContent)
 	models.AssertNotExistsBean(t, &models.PublicKey{ID: newPublicKey.ID})
 }
@@ -51,7 +51,7 @@ func TestAPIAdminDeleteMissingSSHKey(t *testing.T) {
 	session := loginUser(t, "user1")
 
 	token := getTokenForLoggedInUser(t, session)
-	req := NewRequestf(t, "DELETE", "/api/v1/admin/users/user1/keys/%d?token="+token, models.NonexistentID)
+	req := NewRequestf(t, "DELETE", "/api/v1/admin/users/user1/keys/%d?token=%s", models.NonexistentID, token)
 	session.MakeRequest(t, req, http.StatusNotFound)
 }
 
@@ -73,8 +73,8 @@ func TestAPIAdminDeleteUnauthorizedKey(t *testing.T) {
 
 	session = loginUser(t, normalUsername)
 	token = getTokenForLoggedInUser(t, session)
-	req = NewRequestf(t, "DELETE", "/api/v1/admin/users/%s/keys/%d?token="+token,
-		adminUsername, newPublicKey.ID)
+	req = NewRequestf(t, "DELETE", "/api/v1/admin/users/%s/keys/%d?token=%s",
+		adminUsername, newPublicKey.ID, token)
 	session.MakeRequest(t, req, http.StatusForbidden)
 }