Update Proxy support for django 4.2 (#6453)

* Update settings.py to support more django settings

- Now required by 4.2
- Prevents running behind proxy
- CSRF_TRUSTED_ORIGINS
- USE_X_FORWARDED_HOST
- USE_X_FORWARDED_PORT
- Update config template file also.

* Update settings / docs

* Update settings.py

Remove dirt

InvenTree/InvenTree/settings.py

@@ -121,6 +121,7 @@ STATIC_ROOT = config.get_static_dir()
 MEDIA_ROOT = config.get_media_dir()
 
 # List of allowed hosts (default = allow all)
+# Ref: https://docs.djangoproject.com/en/4.2/ref/settings/#allowed-hosts
 ALLOWED_HOSTS = get_setting(
     'INVENTREE_ALLOWED_HOSTS',
     config_key='allowed_hosts',
@@ -128,14 +129,41 @@ ALLOWED_HOSTS = get_setting(
     typecast=list,
 )
 
+# List of trusted origins for unsafe requests
+# Ref: https://docs.djangoproject.com/en/4.2/ref/settings/#csrf-trusted-origins
+CSRF_TRUSTED_ORIGINS = get_setting(
+    'INVENTREE_TRUSTED_ORIGINS',
+    config_key='trusted_origins',
+    default_value=[],
+    typecast=list,
+)
+
+USE_X_FORWARDED_HOST = get_boolean_setting(
+    'INVENTREE_USE_X_FORWARDED_HOST',
+    config_key='use_x_forwarded_host',
+    default_value=False,
+)
+
+USE_X_FORWARDED_PORT = get_boolean_setting(
+    'INVENTREE_USE_X_FORWARDED_PORT',
+    config_key='use_x_forwarded_port',
+    default_value=False,
+)
+
 # Cross Origin Resource Sharing (CORS) options
+# Refer to the django-cors-headers documentation for more information
+# Ref: https://github.com/adamchainz/django-cors-headers
 
 # Extract CORS options from configuration file
 CORS_ALLOW_ALL_ORIGINS = get_boolean_setting(
     'INVENTREE_CORS_ORIGIN_ALLOW_ALL', config_key='cors.allow_all', default_value=DEBUG
 )
 
-CORS_ALLOW_CREDENTIALS = True
+CORS_ALLOW_CREDENTIALS = get_boolean_setting(
+    'INVENTREE_CORS_ALLOW_CREDENTIALS',
+    config_key='cors.allow_credentials',
+    default_value=True,
+)
 
 # Only allow CORS access to API and media endpoints
 CORS_URLS_REGEX = r'^/(api|media|static)/.*$'

InvenTree/config_template.yaml

@@ -171,13 +171,26 @@ auto_update: False
 allowed_hosts:
   - '*'
 
-# Cross Origin Resource Sharing (CORS) settings (see https://github.com/ottoyiu/django-cors-headers)
+# Trusted origins (see CSRF_TRUSTED_ORIGINS in Django settings documentation)
-# Following parameters are
+# If you are running behind a proxy, you may need to add the proxy address here
-cors:
+trusted_origins:
-  # CORS_ORIGIN_ALLOW_ALL - If True, the whitelist will not be used and all origins will be accepted.
+  - 'http://localhost:8000'
-  allow_all: True
+
+
+# Proxy forwarding settings
+# If InvenTree is running behind a proxy, you may need to configure these settings
+
+# Override with the environment variable INVENTREE_USE_X_FORWARDED_HOST
+use_x_forwarded_host: false
+
+# Override with the environment variable INVENTREE_USE_X_FORWARDED_PORT
+use_x_forwarded_port: false
+
+# Cross Origin Resource Sharing (CORS) settings (see https://github.com/adamchainz/django-cors-headers)
+cors:
+  allow_all: True
+  allow_credentials: True,
 
-  # CORS_ORIGIN_WHITELIST - A list of origins that are authorized to make cross-site HTTP requests. Defaults to []
   # whitelist:
   # - https://example.com
   # - https://sub.example.com

docs/docs/start/config.md

@@ -196,18 +196,28 @@ A list of currency codes (e.g. *AUD*, *CAD*, *JPY*, *USD*) can be specified usin
 !!! tip "More Info"
     Read the [currencies documentation](../settings/currency.md) for more information on currency support in InvenTree
 
-## Allowed Hosts / CORS
+## Server Access
 
-By default, all hosts are allowed, and CORS requests are enabled from any origin.
+Depending on how your InvenTree installation is configured, you will need to pay careful attention to the following settings. If you are running your server behind a proxy, or want to adjust support for CORS requests, one or more of the following settings may need to be adjusted.
+
+!!! warning "Advanced Users"
+    The following settings require a certain assumed level of knowledge. You should also refer to the [django documentation](https://docs.djangoproject.com/en/4.2/ref/settings/) for more information.
 
 !!! danger "Not Secure"
     Allowing access from any host is not secure, and should be adjusted for your installation.
 
+!!! info "Environment Variables"
+    Note that a provided environment variable will override the value provided in the configuration file.
+
 | Environment Variable | Configuration File | Description | Default |
 | --- | --- | --- | --- |
 | INVENTREE_ALLOWED_HOSTS | allowed_hosts | List of allowed hosts | `*` |
+| INVENTREE_TRUSTED_ORIGINS | trusted_origins | List of trusted origins | *Empty list* |
+| INVENTREE_USE_X_FORWARDED_HOST | use_x_forwarded_host | Use forwarded host header | False |
+| INVENTREE_USE_X_FORWARDED_PORT | use_x_forwarded_port | Use forwarded port header | False |
 | INVENTREE_CORS_ORIGIN_ALLOW_ALL | cors.allow_all | Allow all remote URLS for CORS checks | False |
 | INVENTREE_CORS_ORIGIN_WHITELIST | cors.whitelist | List of whitelisted CORS URLs | *Empty list* |
+| INVENTREE_CORS_ALLOW_CREDENTIALS | cors.allow_credentials | Allow cookies in cross-site requests | True |
 
 !!! info "Configuration File"
     Allowed hosts and CORS options must be changed in the configuration file, and cannot be set via environment variables