switch to browser based sessions

2025-06-16 20:15:44 +00:00 · 2025-01-08 13:55:20 +01:00
parent ea940e8c58
commit d482b3677f
3 changed files with 16 additions and 8 deletions
--- a/src/backend/InvenTree/users/api.py
+++ b/src/backend/InvenTree/users/api.py
@ -5,6 +5,7 @@ import datetime
 from django.contrib.auth import get_user, login
 from django.contrib.auth.models import Group, User
 from django.urls import include, path, re_path
+from django.views.decorators.csrf import ensure_csrf_cookie
 from django.views.generic.base import RedirectView

 import structlog
@ -330,7 +331,7 @@ class LoginRedirect(RedirectView):

 user_urls = [
    path('roles/', RoleDetails.as_view(), name='api-user-roles'),
-    path('token/', GetAuthToken.as_view(), name='api-token'),
+    path('token/', ensure_csrf_cookie(GetAuthToken.as_view()), name='api-token'),
    path(
        'tokens/',
        include([
--- a/src/frontend/src/enums/ApiEndpoints.tsx
+++ b/src/frontend/src/enums/ApiEndpoints.tsx
@ -19,13 +19,13 @@ export enum ApiEndpoints {
  user_reset = 'auth/password/reset/',
  user_reset_set = 'auth/password/reset/confirm/',
  user_change_password = 'auth/password/change/',
-  user_sso = '_allauth/app/v1/account/providers',
-  user_login = '_allauth/app/v1/auth/login',
-  user_login_mfa = '_allauth/app/v1/auth/2fa/authenticate',
-  user_logout = '_allauth/app/v1/auth/session',
+  user_sso = '_allauth/browser/v1/account/providers',
+  user_login = '_allauth/browser/v1/auth/login',
+  user_login_mfa = '_allauth/browser/v1/auth/2fa/authenticate',
+  user_logout = '_allauth/browser/v1/auth/session',
  user_register = 'auth/registration/',
-  user_mfa = '_allauth/app/v1/account/authenticators',
-  user_emails = '_allauth/app/v1/account/email',
+  user_mfa = '_allauth/browser/v1/account/authenticators',
+  user_emails = '_allauth/browser/v1/account/email',
  login_provider_redirect = '_allauth/browser/v1/auth/provider/redirect',

  // Generic API endpoints
--- a/src/frontend/src/functions/auth.tsx
+++ b/src/frontend/src/functions/auth.tsx
@ -73,9 +73,16 @@ export const doBasicLogin = async (
  }

  clearCsrfCookie();
+  const cookie = getCsrfCookie();

  const login_url = apiUrl(ApiEndpoints.user_login);

+  if (cookie == undefined) {
+    await api.get(apiUrl(ApiEndpoints.user_token)).catch(() => {
+      // his is to be expected
+    });
+  }
+
  let loginDone = false;
  let success = false;

@ -115,7 +122,7 @@ export const doBasicLogin = async (
  if (loginDone) {
    await fetchUserState();
    fetchGlobalStates();
-  } else {
+  } else if (!success) {
    clearUserState();
  }
  return success;