Closed zlondrej closed 6 months ago
wparad
commented
6 months ago Agreed, although there is no reason that a user would ever need to have a X-CSRF-Token to actually put in here, and even if they did this is almost certainly the wrong way to set it. There is no reason why we would assume that the Auth header value must be either Basic or Bearer. So it makes sense to pull in this change.
Thank you.
wparad
commented
6 months ago Published in version 2.2.710
zlondrej
commented
6 months ago Well, that was way faster than I expected, I didn't even manage to write the changelog. :grimacing:
wparad
commented
6 months ago Well, that was way faster than I expected, I didn't even manage to write the changelog. 😬
Honestly I thought about it, but I don't think anyone has been waiting for this feature. Most people don't expose the token input, so it isn't he highest used feature OR they are using Bearer/Basic input. So I didn't think we needed to take that extra step here.
The use-case I have for this is combination of session cookie and CSRF protection header.
While the cookie is handled automatically by browser, the token can be set manually in the Authentication section. However it can't be set using
setAuthenticationConfigurationmethod, because the conditions only allow certain schemes to be configured.Rather than preventing valid cases, the method should allow configuring any security scheme, even if it doesn't necessarily make sense.