mirror of
https://github.com/labstack/echo.git
synced 2024-12-24 20:14:31 +02:00
Fix #1523 by adding secure cookie if SameSite mode is None
This commit is contained in:
parent
cb15226984
commit
dc147d9b97
@ -110,8 +110,8 @@ func CSRFWithConfig(config CSRFConfig) echo.MiddlewareFunc {
|
||||
if config.CookieMaxAge == 0 {
|
||||
config.CookieMaxAge = DefaultCSRFConfig.CookieMaxAge
|
||||
}
|
||||
if config.CookieSameSite == 0 {
|
||||
config.CookieSameSite = http.SameSiteDefaultMode
|
||||
if config.CookieSameSite == http.SameSiteNoneMode {
|
||||
config.CookieSecure = true
|
||||
}
|
||||
|
||||
// Initialize
|
||||
|
@ -1,6 +1,7 @@
|
||||
package middleware
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"net/url"
|
||||
@ -117,3 +118,43 @@ func TestCSRFWithoutSameSiteMode(t *testing.T) {
|
||||
assert.NoError(t, r)
|
||||
assert.NotRegexp(t, "SameSite=", rec.Header()["Set-Cookie"])
|
||||
}
|
||||
|
||||
func TestCSRFWithSameSiteDefaultMode(t *testing.T) {
|
||||
e := echo.New()
|
||||
req := httptest.NewRequest(http.MethodGet, "/", nil)
|
||||
rec := httptest.NewRecorder()
|
||||
c := e.NewContext(req, rec)
|
||||
|
||||
csrf := CSRFWithConfig(CSRFConfig{
|
||||
CookieSameSite: http.SameSiteDefaultMode,
|
||||
})
|
||||
|
||||
h := csrf(func(c echo.Context) error {
|
||||
return c.String(http.StatusOK, "test")
|
||||
})
|
||||
|
||||
r := h(c)
|
||||
assert.NoError(t, r)
|
||||
fmt.Println(rec.Header()["Set-Cookie"])
|
||||
assert.NotRegexp(t, "SameSite=", rec.Header()["Set-Cookie"])
|
||||
}
|
||||
|
||||
func TestCSRFWithSameSiteModeNone(t *testing.T) {
|
||||
e := echo.New()
|
||||
req := httptest.NewRequest(http.MethodGet, "/", nil)
|
||||
rec := httptest.NewRecorder()
|
||||
c := e.NewContext(req, rec)
|
||||
|
||||
csrf := CSRFWithConfig(CSRFConfig{
|
||||
CookieSameSite: http.SameSiteNoneMode,
|
||||
})
|
||||
|
||||
h := csrf(func(c echo.Context) error {
|
||||
return c.String(http.StatusOK, "test")
|
||||
})
|
||||
|
||||
r := h(c)
|
||||
assert.NoError(t, r)
|
||||
assert.Regexp(t, "SameSite=None", rec.Header()["Set-Cookie"])
|
||||
assert.Regexp(t, "Secure", rec.Header()["Set-Cookie"])
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user