From 4f1e3c879a61a1e0a506824909ec386ba059ee5a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Miroslav=20=C5=A0ediv=C3=BD?= <sedivy.miro@gmail.com>
Date: Sat, 24 Apr 2021 21:11:07 +0200
Subject: [PATCH] read cookies only if enabled.

---
 internal/session/auth.go | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/internal/session/auth.go b/internal/session/auth.go
index 6e6eaaa1..b12c2637 100644
--- a/internal/session/auth.go
+++ b/internal/session/auth.go
@@ -55,6 +55,14 @@ func (manager *SessionManagerCtx) Authenticate(r *http.Request) (types.Session,
 }
 
 func (manager *SessionManagerCtx) getToken(r *http.Request) (string, bool) {
+	if manager.CookieEnabled() {
+		// get from Cookie
+		cookie, err := r.Cookie(manager.config.CookieName)
+		if err == nil {
+			return cookie.Value, true
+		}
+	}
+
 	// get from Header
 	reqToken := r.Header.Get("Authorization")
 	splitToken := strings.Split(reqToken, "Bearer ")
@@ -62,12 +70,6 @@ func (manager *SessionManagerCtx) getToken(r *http.Request) (string, bool) {
 		return strings.TrimSpace(splitToken[1]), true
 	}
 
-	// get from Cookie
-	cookie, err := r.Cookie(manager.config.CookieName)
-	if err == nil {
-		return cookie.Value, true
-	}
-
 	// get from URL
 	token := r.URL.Query().Get("token")
 	if token != "" {