Merge pull request #306 from supertokens/refactor/additional-tests-and-changes

fix: properly ignoring anti-csrf in optional session validation

Author: rishabhpoddar

CHANGELOG.md

@@ -7,8 +7,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [unreleased]
 
+## [0.12.8] - 2023-07-10
+
 - Adds additional tests for session verification
 
+### Fixes
+
+- Now properly ignoring missing anti-csrf tokens in optional session validation
+
 ## [0.12.7] - 2023-06-05
 
 ### Fixes

recipe/session/sessionRequestFunctions.go

@@ -179,8 +179,12 @@ func GetSessionFromRequest(req *http.Request, res http.ResponseWriter, config se
 		doAntiCsrfCheck = &doAntiCsrfCheckBool
 	}
 
+	False := false
 	if requestTokenTransferMethod != nil && *requestTokenTransferMethod == sessmodels.HeaderTransferMethod {
-		False := false
+		doAntiCsrfCheck = &False
+	}
+
+	if accessToken == nil {
 		doAntiCsrfCheck = &False
 	}
 

recipe/session/verifySession_test.go

@@ -968,7 +968,7 @@ func TestThatAntiCSRFCheckIsSkippedIfSessionRequiredIsFalseAndNoAccessTokenIsPas
 	res, err := http.DefaultClient.Do(req)
 	assert.Equal(t, res.StatusCode, 401)
 
-	req, err = http.NewRequest(http.MethodGet, app.URL+"/verify-optional", nil)
+	req, err = http.NewRequest(http.MethodPost, app.URL+"/verify-optional", nil)
 	assert.NoError(t, err)
 
 	res, err = http.DefaultClient.Do(req)

supertokens/constants.go

@@ -21,7 +21,7 @@ const (
 )
 
 // VERSION current version of the lib
-const VERSION = "0.12.7"
+const VERSION = "0.12.8"
 
 var (
 	cdiSupported = []string{"2.21"}