fix: panic when no cookie is sent

ory · Jan 8, 2022 · 26e50f5 · 26e50f5
1 parent 4d5f0ef
commit 26e50f5
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/handler.go b/handler.go
@@ -217,7 +217,7 @@ func (h *CSRFHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	// Finally, we check the token itself.
 	sentToken := extractToken(r)
 
-	if !verifyToken(realTokens[0], sentToken) {
+	if len(realTokens) != 1 || !verifyToken(realTokens[0], sentToken) {
 		ctxSetReason(r, ErrBadToken)
 		h.handleFailure(w, r)
 		return