Merge branch 'auth-expire-self' of https://github.com/flipt-io/flipt …

…into auth-expire-self * 'auth-expire-self' of https://github.com/flipt-io/flipt: fix(csrf): dont attempt to create CSRF token when key is not defined (#1280)
flipt-io · Jan 20, 2023 · 88b6a24 · 88b6a24
2 parents 16e5c89 + eb774b9
commit 88b6a24
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/internal/cmd/http.go b/internal/cmd/http.go
@@ -129,7 +129,9 @@ func NewHTTPServer(
 		r.Group(func(r chi.Router) {
 			r.Use(func(handler http.Handler) http.Handler {
 				return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-					w.Header().Set("X-CSRF-Token", csrf.Token(r))
+					if cfg.Authentication.Session.CSRF.Key != "" {
+						w.Header().Set("X-CSRF-Token", csrf.Token(r))
+					}
 
 					handler.ServeHTTP(w, r)
 				})