From 5a751e241ca14b8db6a53decc79b37327d457d6d Mon Sep 17 00:00:00 2001 From: cbomprezzi Date: Mon, 15 Jun 2020 17:12:41 +0200 Subject: [PATCH 1/2] add secure and samesite jwt cookie support --- .gitignore | 5 ++++- dj_rest_auth/views.py | 7 ++++++- docs/configuration.rst | 3 +++ 3 files changed, 13 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index 136132c..886268d 100644 --- a/.gitignore +++ b/.gitignore @@ -106,4 +106,7 @@ venv.bak/ # mypy .mypy_cache/ demo/react-spa/node_modules/ -demo/react-spa/yarn.lock \ No newline at end of file +demo/react-spa/yarn.lock + +# Visual Studio Code +.vscode/ diff --git a/dj_rest_auth/views.py b/dj_rest_auth/views.py index dc3dea8..6387de6 100644 --- a/dj_rest_auth/views.py +++ b/dj_rest_auth/views.py @@ -86,6 +86,9 @@ class LoginView(GenericAPIView): response = Response(serializer.data, status=status.HTTP_200_OK) if getattr(settings, 'REST_USE_JWT', False): cookie_name = getattr(settings, 'JWT_AUTH_COOKIE', None) + cookie_secure = getattr(settings, 'JWT_AUTH_SECURE', False) + cookie_samesite = getattr(settings, 'JWT_AUTH_HTTPONLY', True) + cookie_samesite = getattr(settings, 'JWT_AUTH_SAMESITE', 'Lax') from rest_framework_simplejwt.settings import api_settings as jwt_settings if cookie_name: from datetime import datetime @@ -94,7 +97,9 @@ class LoginView(GenericAPIView): cookie_name, self.access_token, expires=expiration, - httponly=True + secure=cookie_secure, + httponly=True, + samesite=cookie_samesite ) return response diff --git a/docs/configuration.rst b/docs/configuration.rst index aac74c2..3b363a8 100644 --- a/docs/configuration.rst +++ b/docs/configuration.rst @@ -48,6 +48,9 @@ Configuration - **REST_USE_JWT** - Enable JWT Authentication instead of Token/Session based. This is built on top of djangorestframework-simplejwt https://github.com/SimpleJWT/django-rest-framework-simplejwt, which must also be installed. (default: False) - **JWT_AUTH_COOKIE** - The cookie name/key. +- **JWT_AUTH_SECURE** - If you want the cookie to be only sent to the server when a request is made with the https scheme (default: False). +- **JWT_AUTH_HTTPONLY** - If you want to prevent client-side JavaScript from having access to the cookie (default: True). +- **JWT_AUTH_SAMESITE** - To tell the browser not to send this cookie when performing a cross-origin request (default: 'Lax'). SameSite isn’t supported by all browsers. - **OLD_PASSWORD_FIELD_ENABLED** - set it to True if you want to have old password verification on password change enpoint (default: False) - **LOGOUT_ON_PASSWORD_CHANGE** - set to False if you want to keep the current user logged in after a password change From f05abda5b067a73b7011cd00827c85ae511754c5 Mon Sep 17 00:00:00 2001 From: cbomprezzi Date: Mon, 15 Jun 2020 17:57:59 +0200 Subject: [PATCH 2/2] fix distraction errors --- dj_rest_auth/views.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dj_rest_auth/views.py b/dj_rest_auth/views.py index 6387de6..21e064c 100644 --- a/dj_rest_auth/views.py +++ b/dj_rest_auth/views.py @@ -87,7 +87,7 @@ class LoginView(GenericAPIView): if getattr(settings, 'REST_USE_JWT', False): cookie_name = getattr(settings, 'JWT_AUTH_COOKIE', None) cookie_secure = getattr(settings, 'JWT_AUTH_SECURE', False) - cookie_samesite = getattr(settings, 'JWT_AUTH_HTTPONLY', True) + cookie_httponly = getattr(settings, 'JWT_AUTH_HTTPONLY', True) cookie_samesite = getattr(settings, 'JWT_AUTH_SAMESITE', 'Lax') from rest_framework_simplejwt.settings import api_settings as jwt_settings if cookie_name: @@ -98,7 +98,7 @@ class LoginView(GenericAPIView): self.access_token, expires=expiration, secure=cookie_secure, - httponly=True, + httponly=cookie_httponly, samesite=cookie_samesite ) return response