Samesite fix (#8390)

* Fix for migratoin * Fix for COOKIE_MODE - Update to match master * Fix default value in config template - samesite = false, not none * Remove conflicting migration - Should not have back-ported this from master branch - Will not cause any serious issues, was a "nice to have" data migration
2025-04-28 11:36:44 +00:00 · 2024-10-29 10:17:41 +11:00 · 2024-10-29 10:17:41 +11:00 · de2edc4ed6
commit de2edc4ed6
parent 343f63c6ba
3 changed files with 24 additions and 49 deletions
--- a/src/backend/InvenTree/InvenTree/settings.py
+++ b/src/backend/InvenTree/InvenTree/settings.py
@ -1061,26 +1061,40 @@ if (
    sys.exit(-1)

 COOKIE_MODE = (
-    str(get_setting('INVENTREE_COOKIE_SAMESITE', 'cookie.samesite', 'None'))
+    str(get_setting('INVENTREE_COOKIE_SAMESITE', 'cookie.samesite', 'False'))
    .lower()
    .strip()
 )

-valid_cookie_modes = {'lax': 'Lax', 'strict': 'Strict', 'none': 'None', 'null': 'None'}
+# Valid modes (as per the django settings documentation)
+valid_cookie_modes = ['lax', 'strict', 'none']

-if COOKIE_MODE not in valid_cookie_modes.keys():
-    logger.error('Invalid cookie samesite mode: %s', COOKIE_MODE)
-    sys.exit(-1)
-
-COOKIE_MODE = valid_cookie_modes.get(COOKIE_MODE.lower(), 'None')
+if not DEBUG and not TESTING and COOKIE_MODE in valid_cookie_modes:
+    # Set the cookie mode (in production mode only)
+    COOKIE_MODE = COOKIE_MODE.capitalize()
+else:
+    # Default to False, as per the Django settings
+    COOKIE_MODE = False

 # Additional CSRF settings
 CSRF_HEADER_NAME = 'HTTP_X_CSRFTOKEN'
 CSRF_COOKIE_NAME = 'csrftoken'
+
 CSRF_COOKIE_SAMESITE = COOKIE_MODE
 SESSION_COOKIE_SAMESITE = COOKIE_MODE
-SESSION_COOKIE_SECURE = get_boolean_setting(
-    'INVENTREE_SESSION_COOKIE_SECURE', 'cookie.secure', False
+
+"""Set the SESSION_COOKIE_SECURE value based on the following rules:
+- False if the server is running in DEBUG mode
+- True if samesite cookie setting is set to 'None'
+- Otherwise, use the value specified in the configuration file (or env var)
+"""
+SESSION_COOKIE_SECURE = (
+    False
+    if DEBUG
+    else (
+        SESSION_COOKIE_SAMESITE == 'None'
+        or get_boolean_setting('INVENTREE_SESSION_COOKIE_SECURE', 'cookie.secure', True)
+    )
 )

 USE_X_FORWARDED_HOST = get_boolean_setting(
--- a/src/backend/InvenTree/common/migrations/0031_auto_20241026_0024.py
+++ b/src/backend/InvenTree/common/migrations/0031_auto_20241026_0024.py
@ -1,39 +0,0 @@
-# Generated by Django 4.2.16 on 2024-10-26 00:24
-
-from django.conf import settings
-from django.db import migrations
-
-import logging
-
-logger = logging.getLogger('inventree')
-
-
-def update_news_feed_urls(apps, schema_editor):
-    """Update and validate the news feed URLs."""
-
-    from common.models import NewsFeedEntry
-
-    n = 0
-
-    for entry in NewsFeedEntry.objects.all():
-        if entry.link and entry.link.startswith('/'):
-            entry.link = settings.INVENTREE_BASE_URL + entry.link
-            entry.save()
-            n += 1
-
-    if n > 0:
-        logger.info("Updated link for %s NewsFeedEntry objects", n)
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('common', '0030_barcodescanresult'),
-    ]
-
-    operations = [
-        migrations.RunPython(
-            update_news_feed_urls,
-            reverse_code=migrations.RunPython.noop
-        )
-    ]
--- a/src/backend/InvenTree/config_template.yaml
+++ b/src/backend/InvenTree/config_template.yaml
@ -117,7 +117,7 @@ use_x_forwarded_port: false
 # Cookie settings
 cookie:
  secure: false
-  samesite: none
+  samesite: false

 # Cross Origin Resource Sharing (CORS) settings (see https://github.com/adamchainz/django-cors-headers)
 cors: