From c84d8808805f124bd31c6d8717f36539652fb4e8 Mon Sep 17 00:00:00 2001
From: aeneasr <3372410+aeneasr@users.noreply.github.com>
Date: Thu, 25 Feb 2021 15:43:51 +0100
Subject: [PATCH] fix: ignore cookie auth when no cookies set

---
 pipeline/authn/authenticator_cookie_session.go      |  4 +++-
 pipeline/authn/authenticator_cookie_session_test.go | 12 ++++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/pipeline/authn/authenticator_cookie_session.go b/pipeline/authn/authenticator_cookie_session.go
index 00504bec8c..cab076fa92 100644
--- a/pipeline/authn/authenticator_cookie_session.go
+++ b/pipeline/authn/authenticator_cookie_session.go
@@ -112,14 +112,16 @@ func (a *AuthenticatorCookieSession) Authenticate(r *http.Request, session *Auth
 }
 
 func cookieSessionResponsible(r *http.Request, only []string) bool {
-	if len(only) == 0 {
+	if len(only) == 0 && len(r.Cookies()) > 0 {
 		return true
 	}
+
 	for _, cookieName := range only {
 		if _, err := r.Cookie(cookieName); err == nil {
 			return true
 		}
 	}
+
 	return false
 }
 
diff --git a/pipeline/authn/authenticator_cookie_session_test.go b/pipeline/authn/authenticator_cookie_session_test.go
index 6b955dc00d..cd3d5dd7aa 100644
--- a/pipeline/authn/authenticator_cookie_session_test.go
+++ b/pipeline/authn/authenticator_cookie_session_test.go
@@ -116,6 +116,18 @@ func TestAuthenticatorCookieSession(t *testing.T) {
 			assert.Empty(t, requestRecorder.requests)
 		})
 
+		t.Run("description=should fallthrough if is missing and it has no cookies", func(t *testing.T) {
+			testServer, requestRecorder := makeServer(200, `{}`)
+			err := pipelineAuthenticator.Authenticate(
+				makeRequest("GET", "/", map[string]string{}, ""),
+				session,
+				json.RawMessage(fmt.Sprintf(`{"check_session_url": "%s"}`, testServer.URL)),
+				nil,
+			)
+			assert.Equal(t, errors.Cause(err), ErrAuthenticatorNotResponsible)
+			assert.Empty(t, requestRecorder.requests)
+		})
+
 		t.Run("description=should not fallthrough if only is specified and cookie specified is set", func(t *testing.T) {
 			testServer, _ := makeServer(200, `{}`)
 			err := pipelineAuthenticator.Authenticate(