Do not check JWT_TOKEN_LOCATION when testing if cookie_csrf_protect is enabled #538
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Previously, we would only include the csrf double submit value in a jwt if `JWT_COOKIE_CSRF_PROTECT` was true (the default) AND `JWT_TOKEN_LOCATION` was configured to use cookies. However, since we allow overwriting `locations` on a per-route basis instead of only globally for he whole application, we could create a situation where a single route was configured to use cookies when the rest of the app was not, and csrf checks were not happening against that endpoint. This change makes it so that any jwts will be encoded with a csrf value when `JWT_COOKIE_CSRF_PROTECT` is true, regardless of if the app is globally configured to use cookies. It will also verify the csrf double submit token on any route that uses cookies when `JWT_COOKIE_CSRF_PROTECT` is true, regardless of if that is set globally in the application or on an individual route. As a result of this change, you might notice that using jwts without cookies now include a csrf value. This will not change the behavior of non-jwt based endpoints at all, your jwts will just be a little bigger. You can remove that key from the jwt by explicitly setting `JWT_COOKIE_CSRF_PROTECT` to False, if you are not using cookies.
vimalloc
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Previously, we would only include the csrf double submit value in a
jwt if
JWT_COOKIE_CSRF_PROTECTwas true (the default) ANDJWT_TOKEN_LOCATIONwas configured to use cookies.However, since we allow overwriting
locationson a per-route basisinstead of only globally for he whole application, we could create a
situation where a single route was configured to use cookies when the
rest of the app was not, and csrf checks were not happening against
that endpoint.
This change makes it so that any jwts will be encoded with a csrf value
when
JWT_COOKIE_CSRF_PROTECTis true, regardless of if the app isglobally configured to use cookies. It will also verify the csrf double
submit token on any route that uses cookies when
JWT_COOKIE_CSRF_PROTECTis true, regardless of if that is set globally in the application or on an
individual route.
As a result of this change, you might notice that using jwts without
cookies now include a csrf value. This will not change the behavior
of non-jwt based endpoints at all, your jwts will just be a little
bigger. You can remove that key from the jwt by explicitly setting
JWT_COOKIE_CSRF_PROTECTto False, if you are not using cookies.