fix: update csrf token cookie name (#1601)

See ory-corp/cloud#1252
ory · Jul 28, 2021 · 64c90bf · 64c90bf
1 parent 60d848d
commit 64c90bf
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 2 deletions.
diff --git a/x/nosurf.go b/x/nosurf.go
@@ -1,7 +1,9 @@
 package x
 
 import (
+	"crypto/sha256"
 	"encoding/base64"
+	"fmt"
 	"net/http"
 
 	"github.com/ory/kratos/driver/config"
@@ -122,7 +124,7 @@ type CSRFHandler interface {
 func CSRFCookieName(reg interface {
 	config.Provider
 }, r *http.Request) string {
-	return base64.RawURLEncoding.EncodeToString([]byte(reg.Config(r.Context()).SelfPublicURL(r).String())) + "_csrf_token"
+	return "csrf_token_" + fmt.Sprintf("%x", sha256.Sum256([]byte(reg.Config(r.Context()).SelfPublicURL(r).String())))
 }
 
 func NosurfBaseCookieHandler(reg interface {

diff --git a/x/nosurf_test.go b/x/nosurf_test.go
@@ -28,7 +28,7 @@ func TestNosurfBaseCookieHandler(t *testing.T) {
 	require.NoError(t, conf.Source().Set(config.ViperKeyPublicBaseURL, "http://foo.com/bar"))
 
 	cookie := x.NosurfBaseCookieHandler(reg)(httptest.NewRecorder(), httptest.NewRequest("GET", "https://foo/bar", nil))
-	assert.EqualValues(t, "aHR0cDovL2Zvby5jb20vYmFy_csrf_token", cookie.Name, "base64 representation of http://foo.com/bar")
+	assert.EqualValues(t, "csrf_token_01c86631efd1537ee34a98e75884a6e21dd8e2d9e944934bca21204106bfd32f", cookie.Name, "base64 representation of http://foo.com/bar")
 	assert.EqualValues(t, http.SameSiteLaxMode, cookie.SameSite, "is set to lax because https/secure is false - chrome rejects none samesite on non-https")
 	assert.EqualValues(t, nosurf.MaxAge, cookie.MaxAge)
 	assert.EqualValues(t, "/", cookie.Path, "cookie path is site root by default")