From 0802b9dd9dc9ad56f104e5a3fb19071e731993b5 Mon Sep 17 00:00:00 2001
From: Kharec <sandro@cazzaniga.fr>
Date: Fri, 26 Dec 2025 17:28:10 +0100
Subject: [PATCH] fix: GetCSRFToken() shouldn't fall back to the cookie

---
 internal/middleware/csrf.go | 16 ++++------------
 1 file changed, 4 insertions(+), 12 deletions(-)

diff --git a/internal/middleware/csrf.go b/internal/middleware/csrf.go
index 41a87eb..1ce6b1a 100644
--- a/internal/middleware/csrf.go
+++ b/internal/middleware/csrf.go
@@ -37,19 +37,11 @@ func SetCSRFToken(w http.ResponseWriter, r *http.Request, token string) {
 }
 
 func GetCSRFToken(r *http.Request) string {
-	if token := strings.TrimSpace(r.FormValue(CSRFTokenFormName)); token != "" {
-		return token
+	token := strings.TrimSpace(r.FormValue(CSRFTokenFormName))
+	if token == "" {
+		token = strings.TrimSpace(r.Header.Get(CSRFTokenHeaderName))
 	}
-
-	if token := strings.TrimSpace(r.Header.Get(CSRFTokenHeaderName)); token != "" {
-		return token
-	}
-
-	if cookie, err := r.Cookie(CSRFTokenCookieName); err == nil {
-		return strings.TrimSpace(cookie.Value)
-	}
-
-	return ""
+	return token
 }
 
 func ValidateCSRFToken(r *http.Request) bool {