From b2f052a1ca06affcfe38cdc8322bdc6155b5d0fc Mon Sep 17 00:00:00 2001
From: Xe Iaso <me@xeiaso.net>
Date: Tue, 15 Jul 2025 00:27:53 +0000
Subject: [PATCH] fix(web): don't block a user if they have an invalid
 challenge cookie

Signed-off-by: Xe Iaso <me@xeiaso.net>
---
 lib/http.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/lib/http.go b/lib/http.go
index 0c042c61..d1e82339 100644
--- a/lib/http.go
+++ b/lib/http.go
@@ -131,6 +131,7 @@ func (s *Server) RenderIndex(w http.ResponseWriter, r *http.Request, rule *polic
 	chall, err := s.challengeFor(r)
 	if err != nil {
 		lg.Error("can't get challenge", "err", "err")
+		s.ClearCookie(w, CookieOpts{Name: anubis.TestCookieName, Host: r.Host})
 		s.respondWithError(w, r, fmt.Sprintf("%s: %s", localizer.T("internal_server_error"), rule.Challenge.Algorithm))
 		return
 	}
@@ -155,6 +156,7 @@ func (s *Server) RenderIndex(w http.ResponseWriter, r *http.Request, rule *polic
 	impl, ok := challenge.Get(rule.Challenge.Algorithm)
 	if !ok {
 		lg.Error("check failed", "err", "can't get algorithm", "algorithm", rule.Challenge.Algorithm)
+		s.ClearCookie(w, CookieOpts{Name: anubis.TestCookieName, Host: r.Host})
 		s.respondWithError(w, r, fmt.Sprintf("%s: %s", localizer.T("internal_server_error"), rule.Challenge.Algorithm))
 		return
 	}