fix: GetCSRFToken() shouldn't fall back to the cookie

2025-12-26 17:28:10 +01:00
parent 566890f48f
commit 0802b9dd9d
1 changed files with 4 additions and 12 deletions
--- a/internal/middleware/csrf.go
+++ b/internal/middleware/csrf.go
@@ -37,19 +37,11 @@ func SetCSRFToken(w http.ResponseWriter, r *http.Request, token string) {
 }
 func GetCSRFToken(r *http.Request) string {
-	if token := strings.TrimSpace(r.FormValue(CSRFTokenFormName)); token != "" {
+	token := strings.TrimSpace(r.FormValue(CSRFTokenFormName))
-		return token
+	if token == "" {
 		token = strings.TrimSpace(r.Header.Get(CSRFTokenHeaderName))
 	}
-
+	return token
 	if token := strings.TrimSpace(r.Header.Get(CSRFTokenHeaderName)); token != "" {
 		return token
 	}
 	if cookie, err := r.Cookie(CSRFTokenCookieName); err == nil {
 		return strings.TrimSpace(cookie.Value)
 	}
 	return ""
 }
 func ValidateCSRFToken(r *http.Request) bool {