Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[bug] Generate CSRF tokens for skipped requests #163

Open
Airblader opened this issue Sep 6, 2022 · 0 comments
Open

[bug] Generate CSRF tokens for skipped requests #163

Airblader opened this issue Sep 6, 2022 · 0 comments
Labels
bug

Comments

@Airblader
Copy link

Describe the bug

(First off, I'm not 100% whether this is a bug, a feature request, or me not understanding something, so apologies if I categorized it incorrectly).

I have a REST API that uses JWT authentication for non-browser clients, but want to support cookie-based authentication for web clients. To support this, I am calling UnsafeSkipCheck if no authentication / session cookie is present in the request (and JWT authentication will be used instead where I do not worry about CSRF).

However, calling UnsafeSkipCheck exits so early that no CSRF token is ever generated, which means that GET requests will not be responded to with a X-CSRF-Token header, and the client has essentially no way of obtaining a CSRF token.

Is there a reason why skipping the check prevents a token from being generated altogether? Am I just approaching this wrong?

I can call UnsafeSkipCheck much more selectively to bypass this issue, but that doesn't feel correct.

Versions

Go version: go version go1.19 darwin/arm64
package version: v1.7.1
@Airblader Airblader added the bug label Sep 6, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
Gorilla Web Toolkit
Status: No status
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Airblader