httpd: validate reference also for CSRF token in headers

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
2025-12-06 22:30:56 +03:00 · 2024-09-14 21:45:25 +02:00
parent 14cabda5c2
commit 6896d2bfb1
4 changed files with 23 additions and 2 deletions
--- a/internal/httpd/auth_utils.go
+++ b/internal/httpd/auth_utils.go
@@ -468,6 +468,10 @@ func verifyCSRFToken(r *http.Request, csrfTokenAuth *jwtauth.JWTAuth) error {
 		logger.Debug(logSender, "", "error validating CSRF token IP audience")
 		return errors.New("the form token is not valid")
 	}
+	return checkCSRFTokenRef(r, token)
+}
+
+func checkCSRFTokenRef(r *http.Request, token jwt.Token) error {
 	claims, err := getTokenClaims(r)
 	if err != nil {
 		logger.Debug(logSender, "", "error getting token claims for CSRF validation: %v", err)