synced/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2025-07-15 22:20:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore: fix csrf error message on empty session header (#14018)

Browse Source 
* chore: fix csrf error message on empty session header

A more detailed error message was added to catch mismatched
session tokens. This error was mistakenly applying to all CSRF
failures.
This commit is contained in:
Steven Masley
2024-07-25 15:58:23 -05:00
committed by GitHub
parent 2279441517
commit 915f69080a
2 changed files with 78 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
coderd/httpmw/csrf.go
View File

@ -22,7 +22,9 @@ func CSRF(secureCookie bool) func(next http.Handler) http.Handler {
mw.SetBaseCookie(http.Cookie{Path: "/", HttpOnly: true, SameSite: http.SameSiteLaxMode, Secure: secureCookie})
mw.SetFailureHandler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
sessCookie, err := r.Cookie(codersdk.SessionTokenCookie)
if err == nil && r.Header.Get(codersdk.SessionTokenHeader) != sessCookie.Value {
if err == nil &&
r.Header.Get(codersdk.SessionTokenHeader) != "" &&
r.Header.Get(codersdk.SessionTokenHeader) != sessCookie.Value {
// If a user is using header authentication and cookie auth, but the values
// do not match, the cookie value takes priority.
// At the very least, return a more helpful error to the user.