Set XSRF cookie only when authentication succeeds if no error is thrown

2022-03-23 23:52:12 +01:00 · 2022-03-23 23:52:12 +01:00 · c5a3bc1b51
commit c5a3bc1b51
parent b84095ee5a
1 changed files with 6 additions and 9 deletions
--- a/servant-auth/servant-auth-server/src/Servant/Auth/Server/Internal.hs
+++ b/servant-auth/servant-auth-server/src/Servant/Auth/Server/Internal.hs
@ -54,15 +54,12 @@ instance ( n ~ 'S ('S 'Z)

      makeCookies :: AuthResult v -> IO (SetCookieList ('S ('S 'Z)))
      makeCookies authResult = do
-        xsrf <- makeXsrfCookie cookieSettings
-        fmap (Just xsrf `SetCookieCons`) $
-          case authResult of
-            (Authenticated v) -> do
-              ejwt <- makeSessionCookie cookieSettings jwtSettings v
-              case ejwt of
-                Nothing  -> return $ Nothing `SetCookieCons` SetCookieNil
-                Just jwt -> return $ Just jwt `SetCookieCons` SetCookieNil
-            _ -> return $ Nothing `SetCookieCons` SetCookieNil
+        case authResult of
+          (Authenticated v) -> do
+            ejwt <- makeSessionCookie cookieSettings jwtSettings v
+            xsrf <- makeXsrfCookie cookieSettings
+            return $ Just xsrf `SetCookieCons` (ejwt `SetCookieCons` SetCookieNil)
+          _ -> return $ Nothing `SetCookieCons` (Nothing `SetCookieCons` SetCookieNil)

      go :: (AuthResult v -> ServerT api Handler)
         -> (AuthResult v, SetCookieList n)