Support concurrent CSRF cookies by using a prefix of nonce (#187)

* Support concurrent CSRF cookies by using a prefix of nonce. * Move ValidateState out and make CSRF cookies last 1h * add tests to check csrf cookie nam + minor tweaks Co-authored-by: Michal Witkowski <michal@cerberus>
2020-09-23 14:48:04 +01:00
parent 1743537438
commit 41560feaa7
4 changed files with 76 additions and 49 deletions
--- a/internal/server_test.go
+++ b/internal/server_test.go
@ -98,7 +98,7 @@ func TestServerAuthHandlerExpired(t *testing.T) {
 	// Check for CSRF cookie
 	var cookie *http.Cookie
 	for _, c := range res.Cookies() {
-		if c.Name == config.CSRFCookieName {
+		if strings.HasPrefix(c.Name, config.CSRFCookieName) {
 			cookie = c
 		}
 	}