root: set csrf cookie's secure flag same as session (#6350)
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
parent
346c6e6a85
commit
7be94df00c
|
@ -10,6 +10,8 @@ from django.contrib.sessions.exceptions import SessionInterrupted
|
||||||
from django.contrib.sessions.middleware import SessionMiddleware as UpstreamSessionMiddleware
|
from django.contrib.sessions.middleware import SessionMiddleware as UpstreamSessionMiddleware
|
||||||
from django.http.request import HttpRequest
|
from django.http.request import HttpRequest
|
||||||
from django.http.response import HttpResponse
|
from django.http.response import HttpResponse
|
||||||
|
from django.middleware.csrf import CSRF_SESSION_KEY
|
||||||
|
from django.middleware.csrf import CsrfViewMiddleware as UpstreamCsrfViewMiddleware
|
||||||
from django.utils.cache import patch_vary_headers
|
from django.utils.cache import patch_vary_headers
|
||||||
from django.utils.http import http_date
|
from django.utils.http import http_date
|
||||||
from jwt import PyJWTError, decode, encode
|
from jwt import PyJWTError, decode, encode
|
||||||
|
@ -131,6 +133,29 @@ class SessionMiddleware(UpstreamSessionMiddleware):
|
||||||
return response
|
return response
|
||||||
|
|
||||||
|
|
||||||
|
class CsrfViewMiddleware(UpstreamCsrfViewMiddleware):
|
||||||
|
"""Dynamically set secure depending if the upstream connection is TLS or not"""
|
||||||
|
|
||||||
|
def _set_csrf_cookie(self, request: HttpRequest, response: HttpResponse):
|
||||||
|
if settings.CSRF_USE_SESSIONS:
|
||||||
|
if request.session.get(CSRF_SESSION_KEY) != request.META["CSRF_COOKIE"]:
|
||||||
|
request.session[CSRF_SESSION_KEY] = request.META["CSRF_COOKIE"]
|
||||||
|
else:
|
||||||
|
secure = SessionMiddleware.is_secure(request)
|
||||||
|
response.set_cookie(
|
||||||
|
settings.CSRF_COOKIE_NAME,
|
||||||
|
request.META["CSRF_COOKIE"],
|
||||||
|
max_age=settings.CSRF_COOKIE_AGE,
|
||||||
|
domain=settings.CSRF_COOKIE_DOMAIN,
|
||||||
|
path=settings.CSRF_COOKIE_PATH,
|
||||||
|
secure=secure,
|
||||||
|
httponly=settings.CSRF_COOKIE_HTTPONLY,
|
||||||
|
samesite=settings.CSRF_COOKIE_SAMESITE,
|
||||||
|
)
|
||||||
|
# Set the Vary header since content varies with the CSRF cookie.
|
||||||
|
patch_vary_headers(response, ("Cookie",))
|
||||||
|
|
||||||
|
|
||||||
class ChannelsLoggingMiddleware:
|
class ChannelsLoggingMiddleware:
|
||||||
"""Logging middleware for channels"""
|
"""Logging middleware for channels"""
|
||||||
|
|
||||||
|
|
|
@ -226,7 +226,7 @@ MIDDLEWARE = [
|
||||||
"authentik.events.middleware.AuditMiddleware",
|
"authentik.events.middleware.AuditMiddleware",
|
||||||
"django.middleware.security.SecurityMiddleware",
|
"django.middleware.security.SecurityMiddleware",
|
||||||
"django.middleware.common.CommonMiddleware",
|
"django.middleware.common.CommonMiddleware",
|
||||||
"django.middleware.csrf.CsrfViewMiddleware",
|
"authentik.root.middleware.CsrfViewMiddleware",
|
||||||
"django.contrib.messages.middleware.MessageMiddleware",
|
"django.contrib.messages.middleware.MessageMiddleware",
|
||||||
"django.middleware.clickjacking.XFrameOptionsMiddleware",
|
"django.middleware.clickjacking.XFrameOptionsMiddleware",
|
||||||
"authentik.core.middleware.ImpersonateMiddleware",
|
"authentik.core.middleware.ImpersonateMiddleware",
|
||||||
|
|
Reference in a new issue