fix inconsistent cookies, set csrf cookie path

while working on the /set-language route, i noticed that i was getting a csrf error for all /admin views when setting the language, while it worked well on non-admin routes. the issue, it turned out, was that we needed to configure gorilla's csrf feature to set all cookies on the same route. when unconfigured, the set cookies will only be set for the path they are being set at. see more in the gorilla.csrf documentation (in particular the csrf.Path option): https://pkg.go.dev/github.com/gorilla/csrf?utm_source=godoc#Path
ssbc · Apr 19, 2021 · bbd77b4 · bbd77b4
1 parent 2e532c2
commit bbd77b4
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/web/handlers/http.go b/web/handlers/http.go
@@ -216,6 +216,7 @@ func New(
 	}
 
 	CSRF := csrf.Protect(csrfKey,
+		csrf.Path("/"),
 		csrf.ErrorHandler(http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
 			err := csrf.FailureReason(req)
 			// TODO: localize error?