From f91c47bb37c24875f6378b35b6df7d083c3ce45e Mon Sep 17 00:00:00 2001
From: James <james@trbl.design>
Date: Fri, 21 Aug 2020 15:44:03 -0400
Subject: [PATCH] fixes bug introduced with csrf

---
 demo/payload.config.js    | 2 +-
 src/auth/getExtractJWT.js | 7 +++----
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/demo/payload.config.js b/demo/payload.config.js
index 4f7466c3ca..c369e85223 100644
--- a/demo/payload.config.js
+++ b/demo/payload.config.js
@@ -74,7 +74,7 @@ module.exports = {
   ],
   cookiePrefix: 'payload',
   serverURL: 'http://localhost:3000',
-  cors: ['http://localhost', 'http://localhost:8080', 'http://localhost:8081'],
+  cors: ['http://localhost', 'http://localhost:3000', 'http://localhost:8080', 'http://localhost:8081'],
   routes: {
     api: '/api',
     admin: '/admin',
diff --git a/src/auth/getExtractJWT.js b/src/auth/getExtractJWT.js
index 7297cdbe79..42be46b90b 100644
--- a/src/auth/getExtractJWT.js
+++ b/src/auth/getExtractJWT.js
@@ -2,6 +2,7 @@ const parseCookies = require('../utilities/parseCookies');
 
 const getExtractJWT = (config) => (req) => {
   const jwtFromHeader = req.get('Authorization');
+  const origin = req.get('Origin');
 
   if (jwtFromHeader && jwtFromHeader.indexOf('JWT ') === 0) {
     return jwtFromHeader.replace('JWT ', '');
@@ -10,10 +11,8 @@ const getExtractJWT = (config) => (req) => {
   const cookies = parseCookies(req);
   const tokenCookieName = `${config.cookiePrefix}-token`;
 
-  if (cookies && cookies[tokenCookieName] && Array.isArray(config.csrf)) {
-    const { headers: { origin } = {} } = req;
-
-    if (config.csrf.indexOf(origin) > -1) {
+  if (cookies && cookies[tokenCookieName]) {
+    if (!origin || (config.csrf && config.csrf.indexOf(origin) > -1)) {
       const token = cookies[tokenCookieName];
       return token;
     }