No way to get a CSRF token when using creds-based auth and cookies

[bts]

CSRF cookies seem to be set in response to requests authenticated with a Bearer token, but not in response to those authenticated with a cookie the user logging in with credentials.

It seems like this functionality should be swapped:

• Responses to Bearer-authenticated (API) requests should not set a CSRF cookie
• Responses to Cookie-authenticated the user logging in with creds (browser) requests should set a CSRF cookie

See also #10

[bts]

Now that I implemented #13 I see that cookie-authenticated requests (post-login) do set a CSRF cookie in their response, but using the example code in the README, the initial creds-based login request does not respond with a CSRF cookie when the user is authenticated. So currently without #13, there is no way to get CSRF token when using cookies until this issue is fixed.

I will take a look at this some more tomorrow.

[bts]

@jkarni To serve a CSRF cookie when the user logs in with credentials (i.e. not an API token), should I:

(1) do something like extracting a function from https://github.com/plow-technologies/servant-auth/blob/1e8529f19023db008a3868b1111b3bb5b20da737/servant-auth-server/src/Servant/Auth/Server/Internal.hs#L37-L46 and using that in my application's login handler,
or (2) using the AddSetCookie machinery to automatically set a CSRF cookie when my login handler succeeds?

Thanks!

[jkarni]

Hey, sorry for the delay. You're absolutely correct that I made a mistake with not setting the CSRF token. I'll provide a function for adding both the cookie and the CSRF token, to be used with login handlers (basically your proposed (1), but more nicely packaged). I think AddSetCookie is a little heavy for this purpose.

[bts]

That sounds great -- thank you Julian!

[3noch]

Is this fixed?

[domenkozar]

My understanding is: for cookie auth this was fixed, while formlogin is not even implemented.

[domenkozar]

I'm closing this as it was fixed, please let me know if I missed something.