fix: remove unused x-session-cookie parameter

This patch removes the undocumented and experimental `X-Session-Cookie` header from the `/sessions/whoami` endpoint.
ory · Dec 25, 2022 · 6e0993a · 6e0993a
1 parent efb8ae8
commit 6e0993a
Show file tree

Hide file tree

Showing 2 changed files with 1 addition and 44 deletions.
diff --git a/session/manager_http.go b/session/manager_http.go
@@ -68,9 +68,8 @@ func (s *ManagerHTTP) UpsertAndIssueCookie(ctx context.Context, w http.ResponseW
 
 func (s *ManagerHTTP) RefreshCookie(ctx context.Context, w http.ResponseWriter, r *http.Request, session *Session) error {
 	// If it is a session token there is nothing to do.
-	cookieHeader := r.Header.Get("X-Session-Cookie")
 	_, cookieErr := r.Cookie(s.cookieName(r.Context()))
-	if len(cookieHeader) == 0 && errors.Is(cookieErr, http.ErrNoCookie) {
+	if errors.Is(cookieErr, http.ErrNoCookie) {
 		return nil
 	}
 
@@ -156,12 +155,6 @@ func getCookieExpiry(s *sessions.Session) *time.Time {
 }
 
 func (s *ManagerHTTP) getCookie(r *http.Request) (*sessions.Session, error) {
-	if cookie := r.Header.Get("X-Session-Cookie"); len(cookie) > 0 {
-		rr := *r
-		r = &rr
-		r.Header = http.Header{"Cookie": []string{s.cookieName(r.Context()) + "=" + cookie}}
-	}
-
 	return s.r.CookieManager(r.Context()).Get(r, s.cookieName(r.Context()))
 }
 

diff --git a/session/manager_http_test.go b/session/manager_http_test.go
@@ -16,8 +16,6 @@ import (
 
 	"github.com/ory/kratos/driver"
 
-	"github.com/ory/x/urlx"
-
 	"github.com/julienschmidt/httprouter"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -278,40 +276,6 @@ func TestManagerHTTP(t *testing.T) {
 			assert.EqualValues(t, http.StatusInternalServerError, res.StatusCode)
 		})
 
-		t.Run("case=valid and uses x-session-cookie", func(t *testing.T) {
-			req := x.NewTestHTTPRequest(t, "GET", "/sessions/whoami", nil)
-			conf.MustSet(ctx, config.ViperKeySessionLifespan, "1m")
-
-			i := identity.Identity{Traits: []byte("{}")}
-			require.NoError(t, reg.PrivilegedIdentityPool().CreateIdentity(context.Background(), &i))
-			s, _ = session.NewActiveSession(req, &i, conf, time.Now(), identity.CredentialsTypePassword, identity.AuthenticatorAssuranceLevel1)
-
-			c := testhelpers.NewClientWithCookies(t)
-			testhelpers.MockHydrateCookieClient(t, c, pts.URL+"/session/set")
-
-			cookies := c.Jar.Cookies(urlx.ParseOrPanic(pts.URL))
-			require.Len(t, cookies, 2, "expect two cookies, one csrf, one session")
-
-			var cookie *http.Cookie
-			for _, c := range cookies {
-				if c.Name == "ory_kratos_session" {
-					cookie = c
-					break
-				}
-			}
-			require.NotNil(t, cookie, "must find the kratos session cookie")
-
-			assert.Equal(t, "ory_kratos_session", cookie.Name)
-
-			req, err := http.NewRequest("GET", pts.URL+"/session/get", nil)
-			require.NoError(t, err)
-			req.Header.Set("Cookie", "ory_kratos_session=not-valid")
-			req.Header.Set("X-Session-Cookie", cookie.Value)
-			res, err := http.DefaultClient.Do(req)
-			require.NoError(t, err)
-			assert.EqualValues(t, http.StatusOK, res.StatusCode)
-		})
-
 		t.Run("case=valid bearer auth as fallback", func(t *testing.T) {
 			req := x.NewTestHTTPRequest(t, "GET", "/sessions/whoami", nil)
 			conf.MustSet(ctx, config.ViperKeySessionLifespan, "1m")