From 80030dee32d161043766d57ba4e0ad0b0d99290b Mon Sep 17 00:00:00 2001
From: Oleg Lobanov <oleg@lobanov.me>
Date: Tue, 19 Jul 2022 00:39:02 +0200
Subject: [PATCH] fix: disable cookie auth for non GET requests

---
 http/auth.go | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/http/auth.go b/http/auth.go
index 7f094f02..7391cd6a 100644
--- a/http/auth.go
+++ b/http/auth.go
@@ -53,9 +53,11 @@ func (e extractor) ExtractToken(r *http.Request) (string, error) {
 		return auth, nil
 	}
 
-	cookie, _ := r.Cookie("auth")
-	if cookie != nil && strings.Count(cookie.Value, ".") == 2 {
-		return cookie.Value, nil
+	if r.Method == http.MethodGet {
+		cookie, _ := r.Cookie("auth")
+		if cookie != nil && strings.Count(cookie.Value, ".") == 2 {
+			return cookie.Value, nil
+		}
 	}
 
 	return "", request.ErrNoTokenInRequest