root: set samesite for csrf cookie

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

authentik/root/settings.py

@@ -75,6 +75,7 @@ AUTH_USER_MODEL = "authentik_core.User"
 
 _cookie_suffix = "_debug" if DEBUG else ""
 CSRF_COOKIE_NAME = "authentik_csrf"
+CSRF_COOKIE_SAMESITE = None
 LANGUAGE_COOKIE_NAME = f"authentik_language{_cookie_suffix}"
 SESSION_COOKIE_NAME = f"authentik_session{_cookie_suffix}"
 SESSION_COOKIE_DOMAIN = CONFIG.y("cookie_domain", None)

web/src/api/Config.ts

@@ -50,13 +50,27 @@ export function tenant(): Promise<CurrentTenant> {
     return globalTenantPromise;
 }
 
+let csrfToken = getCookie("authentik_csrf");
+
+export class CSRFUpdaterMiddleware implements Middleware {
+    post?(context: ResponseContext): Promise<Response | void> {
+        const newCsrf = getCookie("authentik_csrf");
+        if (newCsrf !== csrfToken) {
+            console.log("authentik/api: rotated CSRF token");
+            csrfToken = newCsrf;
+        }
+        return Promise.resolve(context.response);
+    }
+}
+
 export const DEFAULT_CONFIG = new Configuration({
     basePath: process.env.AK_API_BASE_PATH + "/api/v3",
     headers: {
-        "X-CSRFToken": getCookie("authentik_csrf"),
+        "X-CSRFToken": csrfToken,
         "sentry-trace": getMetaContent("sentry-trace") || "",
     },
     middleware: [
+        new CSRFUpdaterMiddleware(),
         new APIMiddleware(),
         new MessageMiddleware(),
         new LoggingMiddleware(),