diff --git a/docs/docs/self-service/flows/code/settings/samples/api/init-unauth.curl.txt b/docs/docs/self-service/flows/code/settings/samples/api/init-unauth.curl.txt index 54bedc1c99ec..48b25fd3b9de 100644 --- a/docs/docs/self-service/flows/code/settings/samples/api/init-unauth.curl.txt +++ b/docs/docs/self-service/flows/code/settings/samples/api/init-unauth.curl.txt @@ -9,7 +9,7 @@ $ curl -s -X GET \ "code": 403, "status": "Forbidden", "reason": "This endpoint can only be accessed with a valid session. Please log in and try again.", - "debug": "rid=\nerror=request does not have a valid authentication session\nreason=No active session was found in this request.\ndetails=map[]\ndebug=\n\ngithub.com/ory/kratos/session.(*ManagerHTTP).FetchFromRequest\n\t/go/src/github.com/ory/kratos/session/manager_http.go:119\ngithub.com/ory/kratos/session.(*Handler).IsAuthenticated.func1\n\t/go/src/github.com/ory/kratos/session/handler.go:163\ngithub.com/ory/kratos/x.NoCacheHandler.func1\n\t/go/src/github.com/ory/kratos/x/nocache.go:18\ngithub.com/julienschmidt/httprouter.(*Router).ServeHTTP\n\t/go/pkg/mod/github.com/julienschmidt/httprouter@v1.2.0/router.go:334\ngithub.com/justinas/nosurf.(*CSRFHandler).handleSuccess\n\t/go/pkg/mod/github.com/justinas/nosurf@v1.1.1/handler.go:187\ngithub.com/justinas/nosurf.(*CSRFHandler).ServeHTTP\n\t/go/pkg/mod/github.com/justinas/nosurf@v1.1.1/handler.go:144\ngithub.com/urfave/negroni.Wrap.func1\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:46\ngithub.com/urfave/negroni.HandlerFunc.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:29\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38\ngithub.com/urfave/negroni.(*Negroni).ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:96\ngithub.com/gorilla/context.ClearHandler.func1\n\t/go/pkg/mod/github.com/gorilla/context@v1.1.1/context.go:141\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2042\nnet/http.serverHandler.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2843\nnet/http.(*conn).serve\n\t/usr/local/go/src/net/http/server.go:1925\nruntime.goexit\n\t/usr/local/go/src/runtime/asm_amd64.s:1374", + "debug": "rid=\nerror=request does not have a valid authentication session\nreason=No active session was found in this request.\ndetails=map[]\ndebug=\n\ngithub.com/ory/kratos/session.(*ManagerHTTP).FetchFromRequest\n\t/go/src/github.com/ory/kratos/session/manager_http.go:119\ngithub.com/ory/kratos/session.(*Handler).IsAuthenticated.func1\n\t/go/src/github.com/ory/kratos/session/handler.go:163\ngithub.com/ory/kratos/x.NoCacheHandler.func1\n\t/go/src/github.com/ory/kratos/x/nocache.go:18\ngithub.com/julienschmidt/httprouter.(*Router).ServeHTTP\n\t/go/pkg/mod/github.com/julienschmidt/httprouter@v1.2.0/router.go:334\ngithub.com/ory/nosurf.(*CSRFHandler).handleSuccess\n\t/go/pkg/mod/github.com/ory/nosurf@v1.1.1/handler.go:187\ngithub.com/ory/nosurf.(*CSRFHandler).ServeHTTP\n\t/go/pkg/mod/github.com/ory/nosurf@v1.1.1/handler.go:144\ngithub.com/urfave/negroni.Wrap.func1\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:46\ngithub.com/urfave/negroni.HandlerFunc.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:29\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38\ngithub.com/urfave/negroni.(*Negroni).ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:96\ngithub.com/gorilla/context.ClearHandler.func1\n\t/go/pkg/mod/github.com/gorilla/context@v1.1.1/context.go:141\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2042\nnet/http.serverHandler.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2843\nnet/http.(*conn).serve\n\t/usr/local/go/src/net/http/server.go:1925\nruntime.goexit\n\t/usr/local/go/src/runtime/asm_amd64.s:1374", "message": "The requested action was forbidden" } } diff --git a/go.mod b/go.mod index ecd603f69deb..c772a18ad111 100644 --- a/go.mod +++ b/go.mod @@ -5,9 +5,6 @@ go 1.14 // See https://github.com/markbates/pkger/pull/112 replace github.com/markbates/pkger => github.com/falafeljan/pkger v0.17.1-0.20200722132747-95726f5b9b9b -// Remove once https://github.com/justinas/nosurf/pull/62 is merged -replace github.com/justinas/nosurf => github.com/aeneasr/nosurf v1.1.1-0.20201014095004-b10b0e9ff0d6 - replace gopkg.in/DataDog/dd-trace-go.v1 => gopkg.in/DataDog/dd-trace-go.v1 v1.27.1-0.20201005154917-54b73b3e126a require ( @@ -51,7 +48,6 @@ require ( github.com/imdario/mergo v0.3.7 github.com/jteeuwen/go-bindata v3.0.7+incompatible github.com/julienschmidt/httprouter v1.2.0 - github.com/justinas/nosurf v1.1.1 github.com/leodido/go-urn v1.1.0 // indirect github.com/luna-duclos/instrumentedsql/opentracing v0.0.0-20201015064105-f9d01e123f16 // indirect github.com/markbates/pkger v0.17.0 @@ -69,6 +65,7 @@ require ( github.com/ory/herodot v0.9.0 github.com/ory/jsonschema/v3 v3.0.1 github.com/ory/mail/v3 v3.0.0 + github.com/ory/nosurf v1.2.2 github.com/ory/viper v1.7.5 github.com/ory/x v0.0.153 github.com/phayes/freeport v0.0.0-20180830031419-95f893ade6f2 diff --git a/go.sum b/go.sum index 85a12fee379f..a7cc00af3661 100644 --- a/go.sum +++ b/go.sum @@ -49,8 +49,6 @@ github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 h1:d+Bc7a5rLufV github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= github.com/Shopify/sarama v1.19.0/go.mod h1:FVkBWblsNy7DGZRfXLU0O9RCGt5g3g3yEuWXgklEdEo= github.com/Shopify/toxiproxy v2.1.4+incompatible/go.mod h1:OXgGpZ6Cli1/URJOF1DMxUHB2q5Ap20/P/eIdh4G0pI= -github.com/aeneasr/nosurf v1.1.1-0.20201014095004-b10b0e9ff0d6 h1:vwQCZ4WZuWxqiHWbXxVlTwkOtnJb8dGWDek7tDOxqxs= -github.com/aeneasr/nosurf v1.1.1-0.20201014095004-b10b0e9ff0d6/go.mod h1:ALpWdSbuNGy2lZWtyXdjkYv4edL23oSEgfBT1gPJ5BQ= github.com/ajg/form v0.0.0-20160822230020-523a5da1a92f h1:zvClvFQwU++UpIUBGC8YmDlfhUrweEy1R1Fj1gu5iIM= github.com/ajg/form v0.0.0-20160822230020-523a5da1a92f/go.mod h1:uL1WgH+h2mgNtvBq0339dVnzXdBETtL2LeUXaIv25UY= github.com/ajstarks/svgo v0.0.0-20180226025133-644b8db467af/go.mod h1:K08gAheRH3/J6wwsYMMT4xOr94bZjxIelGM0+d/wbFw= @@ -1089,6 +1087,8 @@ github.com/ory/mail v2.3.1+incompatible h1:vHntHDHtQXamt2T+iwTTlCoBkDvILUeujE9Oc github.com/ory/mail v2.3.1+incompatible/go.mod h1:87D9/1gB6ewElQoN0lXJ0ayfqcj3cW3qCTXh+5E9mfU= github.com/ory/mail/v3 v3.0.0 h1:8LFMRj473vGahFD/ntiotWEd4S80FKYFtiZTDfOQ+sM= github.com/ory/mail/v3 v3.0.0/go.mod h1:JGAVeZF8YAlxbaFDUHqRZAKBCSeW2w1vuxf28hFbZAw= +github.com/ory/nosurf v1.2.2 h1:lUNdxAl45nFdvR95m774e9ShgKzrSMJHvgeNSjZdarI= +github.com/ory/nosurf v1.2.2/go.mod h1:d4L3ZBa7Amv55bqxCBtCs63wSlyaiCkWVl4vKf3OUxA= github.com/ory/viper v1.5.6/go.mod h1:TYmpFpKLxjQwvT4f0QPpkOn4sDXU1kDgAwJpgLYiQ28= github.com/ory/viper v1.7.4 h1:3RWBt7Pq9kSFNxLaRT0ljNdbtaWisCQG1cLPn2Yd4UY= github.com/ory/viper v1.7.4/go.mod h1:T6sodNZKNGPpashUOk7EtXz2isovz8oCd57GNVkkNmE= diff --git a/selfservice/errorx/handler.go b/selfservice/errorx/handler.go index 1b457b4a0530..4fd9bae5a27a 100644 --- a/selfservice/errorx/handler.go +++ b/selfservice/errorx/handler.go @@ -5,7 +5,7 @@ import ( "net/http" "github.com/julienschmidt/httprouter" - "github.com/justinas/nosurf" + "github.com/ory/nosurf" "github.com/ory/herodot" diff --git a/selfservice/errorx/handler_test.go b/selfservice/errorx/handler_test.go index 2706db53b588..8467ff1177dd 100644 --- a/selfservice/errorx/handler_test.go +++ b/selfservice/errorx/handler_test.go @@ -10,7 +10,7 @@ import ( "testing" "github.com/julienschmidt/httprouter" - "github.com/justinas/nosurf" + "github.com/ory/nosurf" "github.com/pkg/errors" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" diff --git a/selfservice/flow/login/handler.go b/selfservice/flow/login/handler.go index c37434e7a91c..e9fa6ec0af1b 100644 --- a/selfservice/flow/login/handler.go +++ b/selfservice/flow/login/handler.go @@ -49,7 +49,8 @@ func NewHandler(d handlerDependencies, c configuration.Provider) *Handler { } func (h *Handler) RegisterPublicRoutes(public *x.RouterPublic) { - h.d.CSRFHandler().ExemptPath(RouteInitAPIFlow) + h.d.CSRFHandler().IgnorePath(RouteInitAPIFlow) + public.GET(RouteInitBrowserFlow, h.initBrowserFlow) public.GET(RouteInitAPIFlow, h.initAPIFlow) public.GET(RouteGetFlow, h.fetchFlow) diff --git a/selfservice/flow/login/handler_test.go b/selfservice/flow/login/handler_test.go index bc1064bf4be1..419dd7747850 100644 --- a/selfservice/flow/login/handler_test.go +++ b/selfservice/flow/login/handler_test.go @@ -59,6 +59,9 @@ func TestInitFlow(t *testing.T) { req := x.NewTestHTTPRequest(t, "GET", ts.URL+route, nil) req.URL.RawQuery = extQuery.Encode() body, res := testhelpers.MockMakeAuthenticatedRequest(t, reg, conf, router.Router, req) + if isAPI { + assert.Len(t, res.Header.Get("Set-Cookie"), 0) + } return res, body } diff --git a/selfservice/flow/logout/handler_test.go b/selfservice/flow/logout/handler_test.go index 0a1958e0d09c..f4a7db487a48 100644 --- a/selfservice/flow/logout/handler_test.go +++ b/selfservice/flow/logout/handler_test.go @@ -8,7 +8,7 @@ import ( "github.com/gobuffalo/httptest" "github.com/julienschmidt/httprouter" - "github.com/justinas/nosurf" + "github.com/ory/nosurf" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" diff --git a/selfservice/flow/recovery/handler.go b/selfservice/flow/recovery/handler.go index df254eeb2903..69bf0384cd42 100644 --- a/selfservice/flow/recovery/handler.go +++ b/selfservice/flow/recovery/handler.go @@ -49,7 +49,7 @@ func NewHandler(d handlerDependencies, c configuration.Provider) *Handler { } func (h *Handler) RegisterPublicRoutes(public *x.RouterPublic) { - h.d.CSRFHandler().ExemptPath(RouteInitAPIFlow) + h.d.CSRFHandler().IgnorePath(RouteInitAPIFlow) redirect := session.RedirectOnAuthenticated(h.c) public.GET(RouteInitBrowserFlow, h.d.SessionHandler().IsNotAuthenticated(h.initBrowserFlow, redirect)) diff --git a/selfservice/flow/recovery/handler_test.go b/selfservice/flow/recovery/handler_test.go index 93807bfbc368..0d46c22cc8bb 100644 --- a/selfservice/flow/recovery/handler_test.go +++ b/selfservice/flow/recovery/handler_test.go @@ -81,6 +81,9 @@ func TestInitFlow(t *testing.T) { } req := x.NewTestHTTPRequest(t, "GET", publicTS.URL+route, nil) body, res := testhelpers.MockMakeAuthenticatedRequest(t, reg, conf, router.Router, req) + if isAPI { + assert.Len(t, res.Header.Get("Set-Cookie"), 0) + } return res, body } diff --git a/selfservice/flow/registration/handler.go b/selfservice/flow/registration/handler.go index 259a11eaa1ae..404a78a7930e 100644 --- a/selfservice/flow/registration/handler.go +++ b/selfservice/flow/registration/handler.go @@ -49,7 +49,7 @@ func NewHandler(d handlerDependencies, c configuration.Provider) *Handler { } func (h *Handler) RegisterPublicRoutes(public *x.RouterPublic) { - h.d.CSRFHandler().ExemptPath(RouteInitAPIFlow) + h.d.CSRFHandler().IgnorePath(RouteInitAPIFlow) public.GET(RouteInitBrowserFlow, h.d.SessionHandler().IsNotAuthenticated(h.initBrowserFlow, session.RedirectOnAuthenticated(h.c))) public.GET(RouteInitAPIFlow, h.d.SessionHandler().IsNotAuthenticated(h.initApiFlow, diff --git a/selfservice/flow/registration/handler_test.go b/selfservice/flow/registration/handler_test.go index 3eccfd332570..109e24161db7 100644 --- a/selfservice/flow/registration/handler_test.go +++ b/selfservice/flow/registration/handler_test.go @@ -79,6 +79,9 @@ func TestInitFlow(t *testing.T) { } req := x.NewTestHTTPRequest(t, "GET", publicTS.URL+route, nil) body, res := testhelpers.MockMakeAuthenticatedRequest(t, reg, conf, router.Router, req) + if isAPI { + assert.Len(t, res.Header.Get("Set-Cookie"), 0) + } return res, body } @@ -90,6 +93,9 @@ func TestInitFlow(t *testing.T) { c := publicTS.Client() res, err := c.Get(publicTS.URL + route) require.NoError(t, err) + if isAPI { + assert.Len(t, res.Header.Get("Set-Cookie"), 0) + } defer res.Body.Close() body, err := ioutil.ReadAll(res.Body) require.NoError(t, err) diff --git a/selfservice/flow/request.go b/selfservice/flow/request.go index bec6415b0567..b8ca26f2a88b 100644 --- a/selfservice/flow/request.go +++ b/selfservice/flow/request.go @@ -3,7 +3,7 @@ package flow import ( "net/http" - "github.com/justinas/nosurf" + "github.com/ory/nosurf" "github.com/pkg/errors" "github.com/ory/herodot" @@ -19,11 +19,16 @@ var ErrCookieHeaderNeedsBrowserFlow = herodot.ErrBadRequest. func VerifyRequest( r *http.Request, flowType Type, + disableAPIFlowEnforcement bool, generator func(r *http.Request) string, actual string, ) error { switch flowType { case TypeAPI: + if disableAPIFlowEnforcement { + return nil + } + // API Based flows to not require anti-CSRF tokens because we can not leverage a session, making this // endpoint pointless. diff --git a/selfservice/flow/request_test.go b/selfservice/flow/request_test.go index de74b0a85e28..7020f30e2668 100644 --- a/selfservice/flow/request_test.go +++ b/selfservice/flow/request_test.go @@ -10,13 +10,13 @@ import ( ) func TestVerifyRequest(t *testing.T) { - require.EqualError(t, VerifyRequest(&http.Request{}, TypeBrowser, x.FakeCSRFTokenGenerator, "not_csrf_token"), x.ErrInvalidCSRFToken.Error()) - require.NoError(t, VerifyRequest(&http.Request{}, TypeBrowser, x.FakeCSRFTokenGenerator, x.FakeCSRFToken), nil) - require.NoError(t, VerifyRequest(&http.Request{}, TypeAPI, x.FakeCSRFTokenGenerator, "")) + require.EqualError(t, VerifyRequest(&http.Request{}, TypeBrowser, false, x.FakeCSRFTokenGenerator, "not_csrf_token"), x.ErrInvalidCSRFToken.Error()) + require.NoError(t, VerifyRequest(&http.Request{}, TypeBrowser, false, x.FakeCSRFTokenGenerator, x.FakeCSRFToken), nil) + require.NoError(t, VerifyRequest(&http.Request{}, TypeAPI, false, x.FakeCSRFTokenGenerator, "")) require.EqualError(t, VerifyRequest(&http.Request{ Header: http.Header{"Origin": {"https://www.ory.sh"}}, - }, TypeAPI, x.FakeCSRFTokenGenerator, ""), ErrOriginHeaderNeedsBrowserFlow.Error()) + }, TypeAPI, false, x.FakeCSRFTokenGenerator, ""), ErrOriginHeaderNeedsBrowserFlow.Error()) require.EqualError(t, VerifyRequest(&http.Request{ Header: http.Header{"Cookie": {"cookie=ory"}}, - }, TypeAPI, x.FakeCSRFTokenGenerator, ""), ErrCookieHeaderNeedsBrowserFlow.Error()) + }, TypeAPI, false, x.FakeCSRFTokenGenerator, ""), ErrCookieHeaderNeedsBrowserFlow.Error()) } diff --git a/selfservice/flow/settings/handler.go b/selfservice/flow/settings/handler.go index 820af5cdfb7d..1c45df8962e6 100644 --- a/selfservice/flow/settings/handler.go +++ b/selfservice/flow/settings/handler.go @@ -5,7 +5,7 @@ import ( "time" "github.com/julienschmidt/httprouter" - "github.com/justinas/nosurf" + "github.com/ory/nosurf" "github.com/pkg/errors" "github.com/ory/x/urlx" @@ -74,7 +74,7 @@ func NewHandler(d handlerDependencies, c configuration.Provider) *Handler { } func (h *Handler) RegisterPublicRoutes(public *x.RouterPublic) { - h.d.CSRFHandler().ExemptPath(RouteInitAPIFlow) + h.d.CSRFHandler().IgnorePath(RouteInitAPIFlow) redirect := session.RedirectOnUnauthenticated(h.c.SelfServiceFlowLoginUI().String()) public.GET(RouteInitBrowserFlow, h.d.SessionHandler().IsAuthenticated(h.initBrowserFlow, redirect)) diff --git a/selfservice/flow/settings/handler_test.go b/selfservice/flow/settings/handler_test.go index 8412681d0e21..458de3a7cc17 100644 --- a/selfservice/flow/settings/handler_test.go +++ b/selfservice/flow/settings/handler_test.go @@ -110,6 +110,7 @@ func TestHandler(t *testing.T) { res, err := user1.Get(publicTS.URL + settings.RouteInitAPIFlow) require.NoError(t, err) defer res.Body.Close() + assert.Len(t, res.Header.Get("Set-Cookie"), 0) body := x.MustReadAll(res.Body) id := gjson.GetBytes(body, "id") require.NotEmpty(t, id) diff --git a/selfservice/flow/verification/handler.go b/selfservice/flow/verification/handler.go index d171156b89cf..2fc7011b05a5 100644 --- a/selfservice/flow/verification/handler.go +++ b/selfservice/flow/verification/handler.go @@ -49,7 +49,7 @@ func NewHandler(d handlerDependencies, c configuration.Provider) *Handler { } func (h *Handler) RegisterPublicRoutes(public *x.RouterPublic) { - h.d.CSRFHandler().ExemptPath(RouteInitAPIFlow) + h.d.CSRFHandler().IgnorePath(RouteInitAPIFlow) public.GET(RouteInitBrowserFlow, h.initBrowserFlow) public.GET(RouteInitAPIFlow, h.initAPIFlow) diff --git a/selfservice/flow/verification/handler_test.go b/selfservice/flow/verification/handler_test.go index c365baccc148..9139bb181c79 100644 --- a/selfservice/flow/verification/handler_test.go +++ b/selfservice/flow/verification/handler_test.go @@ -43,9 +43,16 @@ func TestGetFlow(t *testing.T) { })) } - assertFlowPayload := func(t *testing.T, body []byte) { + assertFlowPayload := func(t *testing.T, body []byte, isApi bool) { + if isApi { + assert.Equal(t, "api", gjson.GetBytes(body, "type").String(), "%s", body) + assert.Empty(t, gjson.GetBytes(body, "methods.link.config.fields.#(name==csrf_token).value").String(), "%s", body) + } else { + assert.Equal(t, "browser", gjson.GetBytes(body, "type").String(), "%s", body) + assert.NotEmpty(t, gjson.GetBytes(body, "methods.link.config.fields.#(name==csrf_token).value").String(), "%s", body) + } + assert.Equal(t, "link", gjson.GetBytes(body, "methods.link.method").String(), "%s", body) - assert.NotEmpty(t, gjson.GetBytes(body, "methods.link.config.fields.#(name==csrf_token).value").String(), "%s", body) assert.NotEmpty(t, gjson.GetBytes(body, "id").String(), "%s", body) assert.Empty(t, gjson.GetBytes(body, "headers").Value(), "%s", body) assert.Contains(t, gjson.GetBytes(body, "methods.link.config.action").String(), gjson.GetBytes(body, "id").String(), "%s", body) @@ -76,7 +83,15 @@ func TestGetFlow(t *testing.T) { map[string]interface{}{"enabled": true}) t.Run("case=valid", func(t *testing.T) { - assertFlowPayload(t, x.EasyGetBody(t, endpoint.Client(), public.URL+verification.RouteInitBrowserFlow)) + t.Run("type=browser", func(t *testing.T) { + assertFlowPayload(t, x.EasyGetBody(t, endpoint.Client(), public.URL+verification.RouteInitBrowserFlow), false) + }) + + t.Run("type=api", func(t *testing.T) { + res, body := x.EasyGet(t, endpoint.Client(), public.URL+verification.RouteInitAPIFlow) + assert.Len(t, res.Header.Get("Set-Cookie"), 0) + assertFlowPayload(t, body, true) + }) }) t.Run("case=expired", func(t *testing.T) { diff --git a/session/manager_http_test.go b/session/manager_http_test.go index e91b1ad7d57f..a710ddf0bca2 100644 --- a/session/manager_http_test.go +++ b/session/manager_http_test.go @@ -31,6 +31,9 @@ type mockCSRFHandler struct { func (f *mockCSRFHandler) ExemptPath(s string) { } +func (f *mockCSRFHandler) IgnorePath(s string) { +} + func (f *mockCSRFHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { } diff --git a/x/nosurf.go b/x/nosurf.go index cbc583f9fed2..0b0a80feaf47 100644 --- a/x/nosurf.go +++ b/x/nosurf.go @@ -4,7 +4,7 @@ import ( "encoding/base64" "net/http" - "github.com/justinas/nosurf" + "github.com/ory/nosurf" "github.com/pkg/errors" "github.com/ory/x/randx" @@ -62,6 +62,9 @@ func NewFakeCSRFHandler(name string) *FakeCSRFHandler { func (f *FakeCSRFHandler) ExemptPath(s string) { } +func (f *FakeCSRFHandler) IgnorePath(s string) { +} + func (f *FakeCSRFHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { } @@ -77,6 +80,7 @@ type CSRFHandler interface { http.Handler RegenerateToken(w http.ResponseWriter, r *http.Request) string ExemptPath(string) + IgnorePath(string) } func NewCSRFHandler(