fix: disable cookie auth for non GET requests

filebrowser · Jul 18, 2022 · 80030de · 80030de
1 parent cb43770
commit 80030de
Showing 1 changed file with 5 additions and 3 deletions.
diff --git a/http/auth.go b/http/auth.go
@@ -53,9 +53,11 @@ func (e extractor) ExtractToken(r *http.Request) (string, error) {
 		return auth, nil
 	}
 
-	cookie, _ := r.Cookie("auth")
-	if cookie != nil && strings.Count(cookie.Value, ".") == 2 {
-		return cookie.Value, nil
+	if r.Method == http.MethodGet {
+		cookie, _ := r.Cookie("auth")
+		if cookie != nil && strings.Count(cookie.Value, ".") == 2 {
+			return cookie.Value, nil
+		}
 	}
 
 	return "", request.ErrNoTokenInRequest