diff --git a/src/backend/InvenTree/InvenTree/settings.py b/src/backend/InvenTree/InvenTree/settings.py index e10291a565d0..68b24ee396e5 100644 --- a/src/backend/InvenTree/InvenTree/settings.py +++ b/src/backend/InvenTree/InvenTree/settings.py @@ -1061,26 +1061,40 @@ sys.exit(-1) COOKIE_MODE = ( - str(get_setting('INVENTREE_COOKIE_SAMESITE', 'cookie.samesite', 'None')) + str(get_setting('INVENTREE_COOKIE_SAMESITE', 'cookie.samesite', 'False')) .lower() .strip() ) -valid_cookie_modes = {'lax': 'Lax', 'strict': 'Strict', 'none': 'None', 'null': 'None'} +# Valid modes (as per the django settings documentation) +valid_cookie_modes = ['lax', 'strict', 'none'] -if COOKIE_MODE not in valid_cookie_modes.keys(): - logger.error('Invalid cookie samesite mode: %s', COOKIE_MODE) - sys.exit(-1) - -COOKIE_MODE = valid_cookie_modes.get(COOKIE_MODE.lower(), 'None') +if not DEBUG and not TESTING and COOKIE_MODE in valid_cookie_modes: + # Set the cookie mode (in production mode only) + COOKIE_MODE = COOKIE_MODE.capitalize() +else: + # Default to False, as per the Django settings + COOKIE_MODE = False # Additional CSRF settings CSRF_HEADER_NAME = 'HTTP_X_CSRFTOKEN' CSRF_COOKIE_NAME = 'csrftoken' + CSRF_COOKIE_SAMESITE = COOKIE_MODE SESSION_COOKIE_SAMESITE = COOKIE_MODE -SESSION_COOKIE_SECURE = get_boolean_setting( - 'INVENTREE_SESSION_COOKIE_SECURE', 'cookie.secure', False + +"""Set the SESSION_COOKIE_SECURE value based on the following rules: +- False if the server is running in DEBUG mode +- True if samesite cookie setting is set to 'None' +- Otherwise, use the value specified in the configuration file (or env var) +""" +SESSION_COOKIE_SECURE = ( + False + if DEBUG + else ( + SESSION_COOKIE_SAMESITE == 'None' + or get_boolean_setting('INVENTREE_SESSION_COOKIE_SECURE', 'cookie.secure', True) + ) ) USE_X_FORWARDED_HOST = get_boolean_setting( diff --git a/src/backend/InvenTree/common/migrations/0031_auto_20241026_0024.py b/src/backend/InvenTree/common/migrations/0031_auto_20241026_0024.py deleted file mode 100644 index 75b6c86a672d..000000000000 --- a/src/backend/InvenTree/common/migrations/0031_auto_20241026_0024.py +++ /dev/null @@ -1,39 +0,0 @@ -# Generated by Django 4.2.16 on 2024-10-26 00:24 - -from django.conf import settings -from django.db import migrations - -import logging - -logger = logging.getLogger('inventree') - - -def update_news_feed_urls(apps, schema_editor): - """Update and validate the news feed URLs.""" - - from common.models import NewsFeedEntry - - n = 0 - - for entry in NewsFeedEntry.objects.all(): - if entry.link and entry.link.startswith('/'): - entry.link = settings.INVENTREE_BASE_URL + entry.link - entry.save() - n += 1 - - if n > 0: - logger.info("Updated link for %s NewsFeedEntry objects", n) - - -class Migration(migrations.Migration): - - dependencies = [ - ('common', '0030_barcodescanresult'), - ] - - operations = [ - migrations.RunPython( - update_news_feed_urls, - reverse_code=migrations.RunPython.noop - ) - ] diff --git a/src/backend/InvenTree/config_template.yaml b/src/backend/InvenTree/config_template.yaml index 4ef1bf42bfd4..fa597167a1fc 100644 --- a/src/backend/InvenTree/config_template.yaml +++ b/src/backend/InvenTree/config_template.yaml @@ -117,7 +117,7 @@ use_x_forwarded_port: false # Cookie settings cookie: secure: false - samesite: none + samesite: false # Cross Origin Resource Sharing (CORS) settings (see https://github.com/adamchainz/django-cors-headers) cors: