From 9c4de6143490b994d353420fd545f90d1d6c747e Mon Sep 17 00:00:00 2001
From: Unai Arrien <unaittxu@gmail.com>
Date: Wed, 11 Dec 2024 11:48:43 +0100
Subject: [PATCH] [PLT-1263] Add a cookie-csrf-per-request-limit attribute

---
 pkg/cookies/csrf.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/pkg/cookies/csrf.go b/pkg/cookies/csrf.go
index 1e3f913e80..6f31bc5938 100644
--- a/pkg/cookies/csrf.go
+++ b/pkg/cookies/csrf.go
@@ -48,6 +48,7 @@ type csrf struct {
 
 	cookieOpts *options.Cookie
 	time       clock.Clock
+	creationTime time.Time
 }
 
 // csrtStateTrim will indicate the length of the state trimmed for the name of the csrf cookie
@@ -70,6 +71,7 @@ func NewCSRF(opts *options.Cookie, codeVerifier string) (CSRF, error) {
 		CodeVerifier: codeVerifier,
 
 		cookieOpts: opts,
+		creationTime: time.Now(),
 	}, nil
 }
 
@@ -176,7 +178,7 @@ func ClearExtraCsrfCookies(opts *options.Cookie, rw http.ResponseWriter, req *ht
 	}
 
 	sort.Slice(decodedCookies, func(i, j int) bool {
-		return decodedCookies[i].time.Before(decodedCookies[j].time)
+		return decodedCookies[i].creationTime.Before(decodedCookies[j].creationTime)
 	})
 
 	numberToDelete := len(decodedCookies) - opts.CSRFPerRequestLimit