Fix CSRF token header usage #846
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Adds a view at '/api/login' to authenticate a user using Django's sessions. If authenticated, it returns the user and their permissions as a response and sets a 'sessionid' cookie. Signed-off-by: Eva Millán <[email protected]>
Removes the CSRF token check from the GraphQL requests by default. The check is only performed for requests decorated with '@check_auth' or '@check_permissions' that don't have a JWT authorization header. Signed-off-by: Eva Millán <[email protected]>
Replaces the JWT authorization with '/api/login/'. Adds the CSRF token to the template so the header is added automatically to all requests when the UI is served by Django. Signed-off-by: Eva Millán <[email protected]>
Adds the 'yarn watch' command to rebuild the UI static files whenever there is a change in the code. Running the Django backend with './manage.py runserver' automatically collects and serves the files with the CSRF token included. Signed-off-by: Eva Millán <[email protected]>
Removes the 'X-CSRFToken' header and the GET request to retrieve it since it is not needed when using JWT authorization. Signed-off-by: Eva Millán <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR changes how the CSRF token header is used. API calls using the JWT authorization header don't need the CSRF token. The token is only required on requests that are made from the UI, which now uses a new endpoint at
/api/loginto authenticate users instead of JWT. Django sets acsrftokencookie when the interface is loaded and asessionidcookie for authenticated users that is not available to JavaScript and includes it automatically in all requests.Since the UI needs to be served by Django to get the token, to run it for development use
yarn watchinstead ofyarn serve, which watches for changes and rebuilds the static files, and serve it with./manage.py runserver, which collects the files automatically.