Closed jwag956 closed 5 months ago
All modified and coverable lines are covered by tests :white_check_mark:
Project coverage is 98.41%. Comparing base (
362ec76
) to head (098e964
).
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
We used to set the CSRF_COOKIE (if configured) at the end of a successful authentication. For 2-factor that meant that /tf-validate needed to have the CSRF-HEADER set manually (as well as /login). There seems no reason not to set the CSRF-COOKIE on GET /login - just as we return the csrf_token - so that all endpoints can use the cookie if wanted (which is what many js frameworks do).
There appeared to be no CSRF tests for logging in with unified sign in - now there is.
closes #965