ory · hperl · Dec 5, 2023 · Nov 26, 2023 · Nov 29, 2023 · Dec 1, 2023
@@ -251,3 +251,13 @@ func (ct *TransportWithHeader) RoundTrip(req *http.Request) (*http.Response, err
 	}
 	return ct.RoundTripper.RoundTrip(req)
 }
+
+func AssertNoCSRFCookieInResponse(t *testing.T, _ *httptest.Server, _ *http.Client, r *http.Response) {
+	found := false
+	for _, c := range r.Cookies() {
+		if strings.HasPrefix(c.Name, "csrf_token") {
+			found = true
+		}
+	}
+	require.False(t, found)
+}
@@ -210,9 +210,9 @@ func (s *Strategy) setRoutes(r *x.RouterPublic) {
 	// Apple can use the POST request method when calling the callback
 	if handle, _, _ := r.Lookup("POST", RouteCallback); handle == nil {
 		// Hardcoded path to Apple provider, I don't have a better way of doing it right now.
-		// Also this exempt disables CSRF checks for both GET and POST requests. Unfortunately
+		// Also this ignore disables CSRF checks for both GET and POST requests. Unfortunately
 		// CSRF handler does not allow to define a rule based on the request method, at least not yet.
-		s.d.CSRFHandler().ExemptPath(RouteBase + "/callback/apple")
+		s.d.CSRFHandler().IgnorePath(RouteBase + "/callback/apple")
 
 		// When handler is called using POST method, the cookies are not attached to the request
 		// by the browser. So here we just redirect the request to the same location rewriting the

@@ -1417,14 +1417,13 @@ func TestPostEndpointRedirect(t *testing.T) {
 
 	remoteAdmin, remotePublic, _ := newHydra(t, &subject, &claims, &scope)
 
-	publicTS, adminTS := testhelpers.NewKratosServers(t)
+	publicTS, _, _, _ := testhelpers.NewKratosServerWithCSRFAndRouters(t, reg)
 
 	viperSetProviderConfig(
 		t,
 		conf,
 		newOIDCProvider(t, publicTS, remotePublic, remoteAdmin, "apple"),
 	)
-	testhelpers.InitKratosServers(t, reg, publicTS, adminTS)
 
 	t.Run("case=should redirect to GET and preserve parameters"+publicTS.URL, func(t *testing.T) {
 		// create a client that does not follow redirects
@@ -1441,5 +1440,8 @@ func TestPostEndpointRedirect(t *testing.T) {
 		location, err := res.Location()
 		require.NoError(t, err)
 		assert.Equal(t, publicTS.URL+"/self-service/methods/oidc/callback/apple?state=foo&test=3", location.String())
+
+		// We don't want to add/override CSRF cookie when redirecting
+		testhelpers.AssertNoCSRFCookieInResponse(t, publicTS, c, res)
 	})
 }
@@ -51,16 +51,6 @@ func send(code int) httprouter.Handle {
 	}
 }
 
-func assertNoCSRFCookieInResponse(t *testing.T, _ *httptest.Server, _ *http.Client, r *http.Response) {
-	found := false
-	for _, c := range r.Cookies() {
-		if strings.HasPrefix(c.Name, "csrf_token") {
-			found = true
-		}
-	}
-	require.False(t, found)
-}
-
 func TestSessionWhoAmI(t *testing.T) {
 	conf, reg := internal.NewFastRegistryWithMocks(t)
 	ts, _, r, _ := testhelpers.NewKratosServerWithCSRFAndRouters(t, reg)
@@ -156,7 +146,7 @@ func TestSessionWhoAmI(t *testing.T) {
 			// No cookie yet -> 401
 			res, err := client.Get(ts.URL + RouteWhoami)
 			require.NoError(t, err)
-			assertNoCSRFCookieInResponse(t, ts, client, res) // Test that no CSRF cookie is ever set here.
+			testhelpers.AssertNoCSRFCookieInResponse(t, ts, client, res) // Test that no CSRF cookie is ever set here.
 
 			if cacheEnabled {
 				assert.NotEmpty(t, res.Header.Get("Ory-Session-Cache-For"))
@@ -183,7 +173,7 @@ func TestSessionWhoAmI(t *testing.T) {
 					require.NoError(t, err)
 					body, err := io.ReadAll(res.Body)
 					require.NoError(t, err)
-					assertNoCSRFCookieInResponse(t, ts, client, res) // Test that no CSRF cookie is ever set here.
+					testhelpers.AssertNoCSRFCookieInResponse(t, ts, client, res) // Test that no CSRF cookie is ever set here.
 
 					assert.EqualValues(t, http.StatusOK, res.StatusCode)
 					assert.NotEmpty(t, res.Header.Get("X-Kratos-Authenticated-Identity-Id"))