From 3aa95a4524bc8e70e8d52ad0637e36e18f3a63cd Mon Sep 17 00:00:00 2001 From: Oliver Walters Date: Sun, 5 May 2024 04:38:45 +0000 Subject: [PATCH 1/8] Add ability to set cookie mode --- src/backend/InvenTree/InvenTree/settings.py | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/backend/InvenTree/InvenTree/settings.py b/src/backend/InvenTree/InvenTree/settings.py index 2ef1fbc44c7c..3d0b9e21d8cc 100644 --- a/src/backend/InvenTree/InvenTree/settings.py +++ b/src/backend/InvenTree/InvenTree/settings.py @@ -1106,11 +1106,17 @@ ) sys.exit(-1) +COOKIE_MODE = get_setting('INVENTREE_COOKIE_MODE', 'cookie_mode', 'Lax') + +if COOKIE_MODE not in ['Lax', 'Strict', None]: + logger.error('Invalid cookie mode: %s', COOKIE_MODE) + sys.exit(-1) + # Additional CSRF settings CSRF_HEADER_NAME = 'HTTP_X_CSRFTOKEN' CSRF_COOKIE_NAME = 'csrftoken' -CSRF_COOKIE_SAMESITE = 'Lax' -SESSION_COOKIE_SAMESITE = 'Lax' +CSRF_COOKIE_SAMESITE = COOKIE_MODE +SESSION_COOKIE_SAMESITE = COOKIE_MODE SESSION_COOKIE_SECURE = get_boolean_setting( 'INVENTREE_SESSION_COOKIE_SECURE', 'session_cookie_secure', False ) From fa6f9128b03b1c58fd815da119fc714a6a897ed8 Mon Sep 17 00:00:00 2001 From: Oliver Walters Date: Sun, 5 May 2024 04:43:16 +0000 Subject: [PATCH 2/8] Update docs --- docs/docs/start/config.md | 5 +++-- src/backend/InvenTree/InvenTree/settings.py | 4 ++-- src/backend/InvenTree/config_template.yaml | 5 +++++ 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/docs/docs/start/config.md b/docs/docs/start/config.md index 6f76b2bccc16..48904c379c36 100644 --- a/docs/docs/start/config.md +++ b/docs/docs/start/config.md @@ -97,10 +97,11 @@ Depending on how your InvenTree installation is configured, you will need to pay | INVENTREE_CORS_ORIGIN_ALLOW_ALL | cors.allow_all | Allow all remote URLS for CORS checks | False | | INVENTREE_CORS_ORIGIN_WHITELIST | cors.whitelist | List of whitelisted CORS URLs. Refer to the [django-cors-headers documentation](https://github.com/adamchainz/django-cors-headers#cors_allowed_origins-sequencestr) | Uses the *INVENTREE_SITE_URL* parameter, if set. Otherwise, an empty list. | | INVENTREE_CORS_ORIGIN_REGEX | cors.regex | List of regular expressions for CORS whitelisted URL patterns | *Empty list* | +| INVENTREE_CORS_ALLOW_CREDENTIALS | cors.allow_credentials | Allow cookies in cross-site requests | True | | INVENTREE_USE_X_FORWARDED_HOST | use_x_forwarded_host | Use forwarded host header | False | | INVENTREE_USE_X_FORWARDED_PORT | use_x_forwarded_port | Use forwarded port header | False | -| INVENTREE_CORS_ALLOW_CREDENTIALS | cors.allow_credentials | Allow cookies in cross-site requests | True | -| INVENTREE_SESSION_COOKIE_SECURE | session_cookie_secure | Enforce secure session cookies | False | +| INVENTREE_SESSION_COOKIE_SECURE | cookie.secure | Enforce secure session cookies | False | +| INVENTREE_COOKIE_SAMESITE | cookie.samesite | Session cookie mode. Must be one of `None | "Strict" | "Lax"`. Refer to the [mozilla developer docs](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie) for more information. | `"Lax"` | ### Proxy Settings diff --git a/src/backend/InvenTree/InvenTree/settings.py b/src/backend/InvenTree/InvenTree/settings.py index 3d0b9e21d8cc..e3194540fedb 100644 --- a/src/backend/InvenTree/InvenTree/settings.py +++ b/src/backend/InvenTree/InvenTree/settings.py @@ -1106,7 +1106,7 @@ ) sys.exit(-1) -COOKIE_MODE = get_setting('INVENTREE_COOKIE_MODE', 'cookie_mode', 'Lax') +COOKIE_MODE = get_setting('INVENTREE_COOKIE_SAMESITE', 'cookie.samesite', 'Lax') if COOKIE_MODE not in ['Lax', 'Strict', None]: logger.error('Invalid cookie mode: %s', COOKIE_MODE) @@ -1118,7 +1118,7 @@ CSRF_COOKIE_SAMESITE = COOKIE_MODE SESSION_COOKIE_SAMESITE = COOKIE_MODE SESSION_COOKIE_SECURE = get_boolean_setting( - 'INVENTREE_SESSION_COOKIE_SECURE', 'session_cookie_secure', False + 'INVENTREE_SESSION_COOKIE_SECURE', 'cookie.secure', False ) USE_X_FORWARDED_HOST = get_boolean_setting( diff --git a/src/backend/InvenTree/config_template.yaml b/src/backend/InvenTree/config_template.yaml index 8e4efeb54c25..1604aa2ff61d 100644 --- a/src/backend/InvenTree/config_template.yaml +++ b/src/backend/InvenTree/config_template.yaml @@ -181,6 +181,11 @@ use_x_forwarded_host: false # Override with the environment variable INVENTREE_USE_X_FORWARDED_PORT use_x_forwarded_port: false +# Cookie settings +cookie: + secure: false + samesite: 'Lax' + # Cross Origin Resource Sharing (CORS) settings (see https://github.com/adamchainz/django-cors-headers) cors: allow_all: true From d3eefe1291e81124df3889ffcf2c636e6ab29107 Mon Sep 17 00:00:00 2001 From: Oliver Walters Date: Sun, 5 May 2024 04:47:26 +0000 Subject: [PATCH 3/8] Better validation of cookie mode --- src/backend/InvenTree/InvenTree/settings.py | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/src/backend/InvenTree/InvenTree/settings.py b/src/backend/InvenTree/InvenTree/settings.py index e3194540fedb..49cbcabcd55d 100644 --- a/src/backend/InvenTree/InvenTree/settings.py +++ b/src/backend/InvenTree/InvenTree/settings.py @@ -1106,12 +1106,20 @@ ) sys.exit(-1) -COOKIE_MODE = get_setting('INVENTREE_COOKIE_SAMESITE', 'cookie.samesite', 'Lax') +COOKIE_MODE = ( + str(get_setting('INVENTREE_COOKIE_SAMESITE', 'cookie.samesite', 'Lax')) + .lower() + .strip() +) + +valid_cookie_modes = {'lax': 'Lax', 'strict': 'Strict', 'none': None, 'null': None} -if COOKIE_MODE not in ['Lax', 'Strict', None]: +if COOKIE_MODE not in valid_cookie_modes.keys(): logger.error('Invalid cookie mode: %s', COOKIE_MODE) sys.exit(-1) +COOKIE_MODE = valid_cookie_modes[COOKIE_MODE.lower()] + # Additional CSRF settings CSRF_HEADER_NAME = 'HTTP_X_CSRFTOKEN' CSRF_COOKIE_NAME = 'csrftoken' From 6ed832be1d4356d66474606273434fd1d37aa20d Mon Sep 17 00:00:00 2001 From: Oliver Walters Date: Sun, 5 May 2024 04:50:18 +0000 Subject: [PATCH 4/8] Docs updates --- docs/docs/start/config.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/docs/start/config.md b/docs/docs/start/config.md index 48904c379c36..24de5c94d1fb 100644 --- a/docs/docs/start/config.md +++ b/docs/docs/start/config.md @@ -94,14 +94,14 @@ Depending on how your InvenTree installation is configured, you will need to pay | --- | --- | --- | --- | | INVENTREE_ALLOWED_HOSTS | allowed_hosts | List of allowed hosts | `*` | | INVENTREE_TRUSTED_ORIGINS | trusted_origins | List of trusted origins. Refer to the [django documentation]({% include "django.html" %}/ref/settings/#csrf-trusted-origins) | Uses the *INVENTREE_SITE_URL* parameter, if set. Otherwise, an empty list. | -| INVENTREE_CORS_ORIGIN_ALLOW_ALL | cors.allow_all | Allow all remote URLS for CORS checks | False | +| INVENTREE_CORS_ORIGIN_ALLOW_ALL | cors.allow_all | Allow all remote URLS for CORS checks | `False` | | INVENTREE_CORS_ORIGIN_WHITELIST | cors.whitelist | List of whitelisted CORS URLs. Refer to the [django-cors-headers documentation](https://github.com/adamchainz/django-cors-headers#cors_allowed_origins-sequencestr) | Uses the *INVENTREE_SITE_URL* parameter, if set. Otherwise, an empty list. | | INVENTREE_CORS_ORIGIN_REGEX | cors.regex | List of regular expressions for CORS whitelisted URL patterns | *Empty list* | -| INVENTREE_CORS_ALLOW_CREDENTIALS | cors.allow_credentials | Allow cookies in cross-site requests | True | -| INVENTREE_USE_X_FORWARDED_HOST | use_x_forwarded_host | Use forwarded host header | False | -| INVENTREE_USE_X_FORWARDED_PORT | use_x_forwarded_port | Use forwarded port header | False | -| INVENTREE_SESSION_COOKIE_SECURE | cookie.secure | Enforce secure session cookies | False | -| INVENTREE_COOKIE_SAMESITE | cookie.samesite | Session cookie mode. Must be one of `None | "Strict" | "Lax"`. Refer to the [mozilla developer docs](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie) for more information. | `"Lax"` | +| INVENTREE_CORS_ALLOW_CREDENTIALS | cors.allow_credentials | Allow cookies in cross-site requests | `True` | +| INVENTREE_USE_X_FORWARDED_HOST | use_x_forwarded_host | Use forwarded host header | `False` | +| INVENTREE_USE_X_FORWARDED_PORT | use_x_forwarded_port | Use forwarded port header | `False` | +| INVENTREE_SESSION_COOKIE_SECURE | cookie.secure | Enforce secure session cookies | `False` | +| INVENTREE_COOKIE_SAMESITE | cookie.samesite | Session cookie mode. Must be one of `Strict | Lax | None`. Refer to the [mozilla developer docs](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie) for more information. | `Lax` | ### Proxy Settings From a34ae280dd68e3c54a2d411180dc337112491205 Mon Sep 17 00:00:00 2001 From: Oliver Walters Date: Sun, 5 May 2024 04:50:52 +0000 Subject: [PATCH 5/8] Update error msg --- src/backend/InvenTree/InvenTree/settings.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/backend/InvenTree/InvenTree/settings.py b/src/backend/InvenTree/InvenTree/settings.py index 49cbcabcd55d..9c607125340c 100644 --- a/src/backend/InvenTree/InvenTree/settings.py +++ b/src/backend/InvenTree/InvenTree/settings.py @@ -1115,7 +1115,7 @@ valid_cookie_modes = {'lax': 'Lax', 'strict': 'Strict', 'none': None, 'null': None} if COOKIE_MODE not in valid_cookie_modes.keys(): - logger.error('Invalid cookie mode: %s', COOKIE_MODE) + logger.error('Invalid cookie samesite mode: %s', COOKIE_MODE) sys.exit(-1) COOKIE_MODE = valid_cookie_modes[COOKIE_MODE.lower()] From 244bf22dc3558adac925f1759a784a7d20d0c3b6 Mon Sep 17 00:00:00 2001 From: Oliver Date: Sun, 5 May 2024 16:27:42 +1000 Subject: [PATCH 6/8] Update config.md Change default samesite mode to None --- docs/docs/start/config.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/docs/start/config.md b/docs/docs/start/config.md index 24de5c94d1fb..c9035672e1e7 100644 --- a/docs/docs/start/config.md +++ b/docs/docs/start/config.md @@ -101,7 +101,7 @@ Depending on how your InvenTree installation is configured, you will need to pay | INVENTREE_USE_X_FORWARDED_HOST | use_x_forwarded_host | Use forwarded host header | `False` | | INVENTREE_USE_X_FORWARDED_PORT | use_x_forwarded_port | Use forwarded port header | `False` | | INVENTREE_SESSION_COOKIE_SECURE | cookie.secure | Enforce secure session cookies | `False` | -| INVENTREE_COOKIE_SAMESITE | cookie.samesite | Session cookie mode. Must be one of `Strict | Lax | None`. Refer to the [mozilla developer docs](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie) for more information. | `Lax` | +| INVENTREE_COOKIE_SAMESITE | cookie.samesite | Session cookie mode. Must be one of `Strict | Lax | None`. Refer to the [mozilla developer docs](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie) for more information. | `None` | ### Proxy Settings From 7ccfba3f2a09cf9243c278705042f884249adee7 Mon Sep 17 00:00:00 2001 From: Oliver Date: Sun, 5 May 2024 16:28:16 +1000 Subject: [PATCH 7/8] Update settings.py Default mode is None --- src/backend/InvenTree/InvenTree/settings.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/backend/InvenTree/InvenTree/settings.py b/src/backend/InvenTree/InvenTree/settings.py index 9c607125340c..13da19b11b91 100644 --- a/src/backend/InvenTree/InvenTree/settings.py +++ b/src/backend/InvenTree/InvenTree/settings.py @@ -1107,7 +1107,7 @@ sys.exit(-1) COOKIE_MODE = ( - str(get_setting('INVENTREE_COOKIE_SAMESITE', 'cookie.samesite', 'Lax')) + str(get_setting('INVENTREE_COOKIE_SAMESITE', 'cookie.samesite', 'None')) .lower() .strip() ) From e896abc20c2ab671d63e55a5fb8111a0efa3a6f0 Mon Sep 17 00:00:00 2001 From: Oliver Date: Sun, 5 May 2024 17:11:24 +1000 Subject: [PATCH 8/8] Update config_template.yaml Change default value in config file template --- src/backend/InvenTree/config_template.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/backend/InvenTree/config_template.yaml b/src/backend/InvenTree/config_template.yaml index 1604aa2ff61d..b9bb21222035 100644 --- a/src/backend/InvenTree/config_template.yaml +++ b/src/backend/InvenTree/config_template.yaml @@ -184,7 +184,7 @@ use_x_forwarded_port: false # Cookie settings cookie: secure: false - samesite: 'Lax' + samesite: none # Cross Origin Resource Sharing (CORS) settings (see https://github.com/adamchainz/django-cors-headers) cors: