fix: ignore cookie auth when no cookies set

ory · Feb 25, 2021 · c84d880 · c84d880
1 parent ef9153e
commit c84d880
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 1 deletion.
diff --git a/pipeline/authn/authenticator_cookie_session.go b/pipeline/authn/authenticator_cookie_session.go
@@ -112,14 +112,16 @@ func (a *AuthenticatorCookieSession) Authenticate(r *http.Request, session *Auth
 }
 
 func cookieSessionResponsible(r *http.Request, only []string) bool {
-	if len(only) == 0 {
+	if len(only) == 0 && len(r.Cookies()) > 0 {
 		return true
 	}
+
 	for _, cookieName := range only {
 		if _, err := r.Cookie(cookieName); err == nil {
 			return true
 		}
 	}
+
 	return false
 }
 

diff --git a/pipeline/authn/authenticator_cookie_session_test.go b/pipeline/authn/authenticator_cookie_session_test.go
@@ -116,6 +116,18 @@ func TestAuthenticatorCookieSession(t *testing.T) {
 			assert.Empty(t, requestRecorder.requests)
 		})
 
+		t.Run("description=should fallthrough if is missing and it has no cookies", func(t *testing.T) {
+			testServer, requestRecorder := makeServer(200, `{}`)
+			err := pipelineAuthenticator.Authenticate(
+				makeRequest("GET", "/", map[string]string{}, ""),
+				session,
+				json.RawMessage(fmt.Sprintf(`{"check_session_url": "%s"}`, testServer.URL)),
+				nil,
+			)
+			assert.Equal(t, errors.Cause(err), ErrAuthenticatorNotResponsible)
+			assert.Empty(t, requestRecorder.requests)
+		})
+
 		t.Run("description=should not fallthrough if only is specified and cookie specified is set", func(t *testing.T) {
 			testServer, _ := makeServer(200, `{}`)
 			err := pipelineAuthenticator.Authenticate(