Update Proxy support for django 4.2 (#6453)

* Update settings.py to support more django settings

- Now required by 4.2
- Prevents running behind proxy
- CSRF_TRUSTED_ORIGINS
- USE_X_FORWARDED_HOST
- USE_X_FORWARDED_PORT
- Update config template file also.

* Update settings / docs

* Update settings.py

Remove dirt

InvenTree/InvenTree/settings.py

@@ -121,6 +121,7 @@ STATIC_ROOT = config.get_static_dir()
 MEDIA_ROOT = config.get_media_dir()
 
 # List of allowed hosts (default = allow all)
+# Ref: https://docs.djangoproject.com/en/4.2/ref/settings/#allowed-hosts
 ALLOWED_HOSTS = get_setting(
     'INVENTREE_ALLOWED_HOSTS',
     config_key='allowed_hosts',
@@ -128,14 +129,41 @@ ALLOWED_HOSTS = get_setting(
     typecast=list,
 )
 
+# List of trusted origins for unsafe requests
+# Ref: https://docs.djangoproject.com/en/4.2/ref/settings/#csrf-trusted-origins
+CSRF_TRUSTED_ORIGINS = get_setting(
+    'INVENTREE_TRUSTED_ORIGINS',
+    config_key='trusted_origins',
+    default_value=[],
+    typecast=list,
+)
+
+USE_X_FORWARDED_HOST = get_boolean_setting(
+    'INVENTREE_USE_X_FORWARDED_HOST',
+    config_key='use_x_forwarded_host',
+    default_value=False,
+)
+
+USE_X_FORWARDED_PORT = get_boolean_setting(
+    'INVENTREE_USE_X_FORWARDED_PORT',
+    config_key='use_x_forwarded_port',
+    default_value=False,
+)
+
 # Cross Origin Resource Sharing (CORS) options
+# Refer to the django-cors-headers documentation for more information
+# Ref: https://github.com/adamchainz/django-cors-headers
 
 # Extract CORS options from configuration file
 CORS_ALLOW_ALL_ORIGINS = get_boolean_setting(
     'INVENTREE_CORS_ORIGIN_ALLOW_ALL', config_key='cors.allow_all', default_value=DEBUG
 )
 
-CORS_ALLOW_CREDENTIALS = True
+CORS_ALLOW_CREDENTIALS = get_boolean_setting(
+    'INVENTREE_CORS_ALLOW_CREDENTIALS',
+    config_key='cors.allow_credentials',
+    default_value=True,
+)
 
 # Only allow CORS access to API and media endpoints
 CORS_URLS_REGEX = r'^/(api|media|static)/.*$'

InvenTree/config_template.yaml

@@ -171,13 +171,26 @@ auto_update: False
 allowed_hosts:
   - '*'
 
-# Cross Origin Resource Sharing (CORS) settings (see https://github.com/ottoyiu/django-cors-headers)
-# Following parameters are
-cors:
-  # CORS_ORIGIN_ALLOW_ALL - If True, the whitelist will not be used and all origins will be accepted.
-  allow_all: True
+# Trusted origins (see CSRF_TRUSTED_ORIGINS in Django settings documentation)
+# If you are running behind a proxy, you may need to add the proxy address here
+trusted_origins:
+  - 'http://localhost:8000'
+
+
+# Proxy forwarding settings
+# If InvenTree is running behind a proxy, you may need to configure these settings
+
+# Override with the environment variable INVENTREE_USE_X_FORWARDED_HOST
+use_x_forwarded_host: false
+
+# Override with the environment variable INVENTREE_USE_X_FORWARDED_PORT
+use_x_forwarded_port: false
+
+# Cross Origin Resource Sharing (CORS) settings (see https://github.com/adamchainz/django-cors-headers)
+cors:
+  allow_all: True
+  allow_credentials: True,
 
-  # CORS_ORIGIN_WHITELIST - A list of origins that are authorized to make cross-site HTTP requests. Defaults to []
   # whitelist:
   # - https://example.com
   # - https://sub.example.com