Skip to content

Commit

Permalink
fix: resolve issue where CF cookies would mingle with CSRF detection …
Browse files Browse the repository at this point in the history
…in API flows
  • Loading branch information
aeneasr committed Mar 22, 2022
1 parent 88ea06a commit 011219a
Show file tree
Hide file tree
Showing 2 changed files with 27 additions and 1 deletion.
13 changes: 12 additions & 1 deletion selfservice/flow/request.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import (
"context"
_ "embed"
"net/http"
"strings"

"github.com/ory/kratos/driver/config"
"github.com/ory/kratos/selfservice/strategy"
Expand Down Expand Up @@ -47,7 +48,17 @@ func EnsureCSRF(reg interface {
return errors.WithStack(ErrOriginHeaderNeedsBrowserFlow)
}

if len(r.Cookies()) > 0 {
// Workaround for Cloudflare setting cookies that we can't control.
var hasCookie bool
// - __cfasdf
for _, c := range r.Cookies() {
if !strings.HasPrefix(c.Name, "__cf") {
hasCookie = true
break
}
}

if hasCookie {
return errors.WithStack(ErrCookieHeaderNeedsBrowserFlow)
}

Expand Down
15 changes: 15 additions & 0 deletions selfservice/flow/request_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,21 @@ func TestVerifyRequest(t *testing.T) {
require.EqualError(t, flow.EnsureCSRF(reg, &http.Request{
Header: http.Header{"Cookie": {"cookie=ory"}},
}, flow.TypeAPI, false, x.FakeCSRFTokenGenerator, ""), flow.ErrCookieHeaderNeedsBrowserFlow.Error())

// Cloudflare
require.NoError(t, flow.EnsureCSRF(reg, &http.Request{
Header: http.Header{"Cookie": {"__cflb=0pg1RtZzPoPDprTf8gX3TJm8XF5hKZ4pZV74UCe7"}},
}, flow.TypeAPI, false, x.FakeCSRFTokenGenerator, ""), flow.ErrCookieHeaderNeedsBrowserFlow.Error())
require.NoError(t, flow.EnsureCSRF(reg, &http.Request{
Header: http.Header{"Cookie": {"__cflb=0pg1RtZzPoPDprTf8gX3TJm8XF5hKZ4pZV74UCe7; __cfruid=0pg1RtZzPoPDprTf8gX3TJm8XF5hKZ4pZV74UCe7"}},
}, flow.TypeAPI, false, x.FakeCSRFTokenGenerator, ""), flow.ErrCookieHeaderNeedsBrowserFlow.Error())
require.Error(t, flow.EnsureCSRF(reg, &http.Request{
Header: http.Header{"Cookie": {"__cflb=0pg1RtZzPoPDprTf8gX3TJm8XF5hKZ4pZV74UCe7; __cfruid=0pg1RtZzPoPDprTf8gX3TJm8XF5hKZ4pZV74UCe7; some_cookie=some_value"}},
}, flow.TypeAPI, false, x.FakeCSRFTokenGenerator, ""), flow.ErrCookieHeaderNeedsBrowserFlow.Error())
require.Error(t, flow.EnsureCSRF(reg, &http.Request{
Header: http.Header{"Cookie": {"some_cookie=some_value"}},
}, flow.TypeAPI, false, x.FakeCSRFTokenGenerator, ""), flow.ErrCookieHeaderNeedsBrowserFlow.Error())
require.NoError(t, flow.EnsureCSRF(reg, &http.Request{}, flow.TypeAPI, false, x.FakeCSRFTokenGenerator, ""), flow.ErrCookieHeaderNeedsBrowserFlow.Error())
}

func TestMethodEnabledAndAllowed(t *testing.T) {
Expand Down

0 comments on commit 011219a

Please sign in to comment.