inventree/InvenTree
2
0
Fork 0
mirror of https://github.com/inventree/InvenTree.git synced 2025-06-16 20:15:44 +00:00
Code Activity

[Breaking] Samesite Cookie Fix (#8269)

Browse Source 
* Adjust samesite cookie behaviour:

- In DEBUG mode, turn off entirely
- Allow False value (note: *not* a string)
- Force insecure cookie in DEBUG mode

* Change default value in config file template

* Update docs

* Adjust COOKIE_SECURE based on SAMESITE setting
This commit is contained in:
Oliver
2024-10-10 20:18:14 +11:00
committed by GitHub
parent 8e34fddfaa
commit 914f59c4cc
3 changed files with 40 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
src/backend/InvenTree/InvenTree/settings.py
View File

@ -1093,22 +1093,40 @@ if (
sys.exit(-1)
COOKIE_MODE = (
str(get_setting('INVENTREE_COOKIE_SAMESITE', 'cookie.samesite', 'None'))
str(get_setting('INVENTREE_COOKIE_SAMESITE', 'cookie.samesite', 'False'))
.lower()
.strip()
)
valid_cookie_modes = {'lax': 'Lax', 'strict': 'Strict', 'none': 'None', 'null': 'None'}
# Valid modes (as per the django settings documentation)
valid_cookie_modes = ['lax', 'strict', 'none']
COOKIE_MODE = valid_cookie_modes.get(COOKIE_MODE.lower(), 'None')
if not DEBUG and COOKIE_MODE in valid_cookie_modes:
# Set the cookie mode (in production mode only)
COOKIE_MODE = COOKIE_MODE.capitalize()
else:
# Default to False, as per the Django settings
COOKIE_MODE = False
# Additional CSRF settings
CSRF_HEADER_NAME = 'HTTP_X_CSRFTOKEN'
CSRF_COOKIE_NAME = 'csrftoken'
CSRF_COOKIE_SAMESITE = COOKIE_MODE
SESSION_COOKIE_SAMESITE = COOKIE_MODE
SESSION_COOKIE_SECURE = get_boolean_setting(
'INVENTREE_SESSION_COOKIE_SECURE', 'cookie.secure', False
"""Set the SESSION_COOKIE_SECURE value based on the following rules:
- False if the server is running in DEBUG mode
- True if samesite cookie setting is set to 'None'
- Otherwise, use the value specified in the configuration file (or env var)
"""
SESSION_COOKIE_SECURE = (
False
if DEBUG
else (
SESSION_COOKIE_SAMESITE == 'None'
or get_boolean_setting('INVENTREE_SESSION_COOKIE_SECURE', 'cookie.secure', True)
)
)
USE_X_FORWARDED_HOST = get_boolean_setting(

2
src/backend/InvenTree/config_template.yaml
View File

@ -117,7 +117,7 @@ use_x_forwarded_port: false
# Cookie settings
cookie:
secure: false
samesite: none
samesite: false
# Cross Origin Resource Sharing (CORS) settings (see https://github.com/adamchainz/django-cors-headers)
cors: