fix: ignore more cloudflare cookies (#3499)

ory · Sep 14, 2023 · f124ab5 · f124ab5
1 parent 159c131
commit f124ab5
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 2 deletions.
diff --git a/selfservice/flow/request.go b/selfservice/flow/request.go
@@ -53,9 +53,10 @@ func EnsureCSRF(
 		}
 
 		// Workaround for Cloudflare setting cookies that we can't control.
+		// https://developers.cloudflare.com/fundamentals/reference/policies-compliances/cloudflare-cookies/
 		var cookies []string
 		for _, c := range r.Cookies() {
-			if !strings.HasPrefix(c.Name, "__cf") {
+			if !(strings.HasPrefix(c.Name, "__cf") || strings.HasPrefix(c.Name, "_cf") || strings.HasPrefix(c.Name, "cf_")) {
 				cookies = append(cookies, c.Name)
 			}
 		}

diff --git a/selfservice/flow/request_test.go b/selfservice/flow/request_test.go
@@ -47,7 +47,7 @@ func TestVerifyRequest(t *testing.T) {
 
 	// Cloudflare
 	require.NoError(t, flow.EnsureCSRF(reg, &http.Request{
-		Header: http.Header{"Cookie": {"__cflb=0pg1RtZzPoPDprTf8gX3TJm8XF5hKZ4pZV74UCe7"}},
+		Header: http.Header{"Cookie": {"__cflb=0pg1RtZzPoPDprTf8gX3TJm8XF5hKZ4pZV74UCe7", "_cfuvid=blub", "cf_clearance=bla"}},
 	}, flow.TypeAPI, false, x.FakeCSRFTokenGenerator, ""), "should ignore Cloudflare cookies")
 	require.NoError(t, flow.EnsureCSRF(reg, &http.Request{
 		Header: http.Header{"Cookie": {"__cflb=0pg1RtZzPoPDprTf8gX3TJm8XF5hKZ4pZV74UCe7; __cfruid=0pg1RtZzPoPDprTf8gX3TJm8XF5hKZ4pZV74UCe7"}},