Closed
Description
Describe the bug
Setting a cookie customizer on a CookieServerCsrfTokenRepository.withHttpOnlyFalse() resets the "http only" behavior.
To Reproduce
Create a CookieServerCsrfTokenRepository.withHttpOnlyFalse(), then set a CookieCustomizer on it. See unit test below.
Expected behavior
The cookie is served with isHttp = false.
Sample
The following unit test fails but should succeed:
import static org.junit.jupiter.api.Assertions.assertFalse;
import static org.junit.jupiter.api.Assertions.assertNotNull;
import org.junit.jupiter.api.Test;
import org.springframework.http.ResponseCookie;
import org.springframework.mock.http.server.reactive.MockServerHttpRequest;
import org.springframework.mock.web.server.MockServerWebExchange;
import org.springframework.security.web.server.csrf.CookieServerCsrfTokenRepository;
import org.springframework.security.web.server.csrf.CsrfToken;
class CookieTest {
@Test
void cookieIsHttpFalse() {
CookieServerCsrfTokenRepository repository = CookieServerCsrfTokenRepository.withHttpOnlyFalse();
repository.setCookieCustomizer(cookieBuilder -> {
cookieBuilder.path("/");
});
MockServerHttpRequest.BaseBuilder<?> request = MockServerHttpRequest.get("/dummy");
MockServerWebExchange exchange = MockServerWebExchange.from(request);
CsrfToken csrfToken = repository.generateToken(exchange).block();
repository.saveToken(exchange, csrfToken).block();
ResponseCookie cookie = exchange.getResponse().getCookies().getFirst("XSRF-TOKEN");
assertNotNull(cookie);
assertFalse(cookie.isHttpOnly());
}
}