properly ignoring anti-csrf in optional session validation

Author: nkshah2

recipe/session/sessionRequestFunctions.go

@@ -179,8 +179,12 @@ func GetSessionFromRequest(req *http.Request, res http.ResponseWriter, config se
 		doAntiCsrfCheck = &doAntiCsrfCheckBool
 	}
 
+	False := false
 	if requestTokenTransferMethod != nil && *requestTokenTransferMethod == sessmodels.HeaderTransferMethod {
-		False := false
+		doAntiCsrfCheck = &False
+	}
+
+	if accessToken == nil {
 		doAntiCsrfCheck = &False
 	}
 

recipe/session/verifySession_test.go

@@ -968,7 +968,7 @@ func TestThatAntiCSRFCheckIsSkippedIfSessionRequiredIsFalseAndNoAccessTokenIsPas
 	res, err := http.DefaultClient.Do(req)
 	assert.Equal(t, res.StatusCode, 401)
 
-	req, err = http.NewRequest(http.MethodGet, app.URL+"/verify-optional", nil)
+	req, err = http.NewRequest(http.MethodPost, app.URL+"/verify-optional", nil)
 	assert.NoError(t, err)
 
 	res, err = http.DefaultClient.Do(req)