fix inconsistent cookies, set csrf cookie path

while working on the /set-language route, i noticed that i was getting a csrf error for all /admin views when setting the language, while it worked well on non-admin routes. the issue, it turned out, was that we needed to configure gorilla's csrf feature to set all cookies on the same route. when unconfigured, the set cookies will only be set for the path they are being set at. see more in the gorilla.csrf documentation (in particular the csrf.Path option): https://pkg.go.dev/github.com/gorilla/csrf?utm_source=godoc#Path
2021-04-19 13:46:39 +02:00 · 2021-04-19 13:46:39 +02:00 · b9fe27b0ca
parent c97b7d44c3
commit b9fe27b0ca
1 changed files with 1 additions and 0 deletions
--- a/web/handlers/http.go
+++ b/web/handlers/http.go
@ -204,6 +204,7 @@ func New(
 	}

 	CSRF := csrf.Protect(csrfKey,
+		csrf.Path("/"),
 		csrf.ErrorHandler(http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
 			err := csrf.FailureReason(req)
 			// TODO: localize error?