Merge pull request #94 from chrsz/feature/jwt_secure_samesite

Added other optionals settings variables to JWT cookie
This commit is contained in:
Michael 2020-06-20 13:14:12 -05:00 committed by GitHub
commit 9dbbef4640
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 13 additions and 2 deletions

5
.gitignore vendored
View File

@ -107,4 +107,7 @@ venv.bak/
# mypy # mypy
.mypy_cache/ .mypy_cache/
demo/react-spa/node_modules/ demo/react-spa/node_modules/
demo/react-spa/yarn.lock demo/react-spa/yarn.lock
# Visual Studio Code
.vscode/

View File

@ -86,6 +86,9 @@ class LoginView(GenericAPIView):
response = Response(serializer.data, status=status.HTTP_200_OK) response = Response(serializer.data, status=status.HTTP_200_OK)
if getattr(settings, 'REST_USE_JWT', False): if getattr(settings, 'REST_USE_JWT', False):
cookie_name = getattr(settings, 'JWT_AUTH_COOKIE', None) cookie_name = getattr(settings, 'JWT_AUTH_COOKIE', None)
cookie_secure = getattr(settings, 'JWT_AUTH_SECURE', False)
cookie_httponly = getattr(settings, 'JWT_AUTH_HTTPONLY', True)
cookie_samesite = getattr(settings, 'JWT_AUTH_SAMESITE', 'Lax')
from rest_framework_simplejwt.settings import api_settings as jwt_settings from rest_framework_simplejwt.settings import api_settings as jwt_settings
if cookie_name: if cookie_name:
from datetime import datetime from datetime import datetime
@ -94,7 +97,9 @@ class LoginView(GenericAPIView):
cookie_name, cookie_name,
self.access_token, self.access_token,
expires=expiration, expires=expiration,
httponly=True secure=cookie_secure,
httponly=cookie_httponly,
samesite=cookie_samesite
) )
return response return response

View File

@ -48,6 +48,9 @@ Configuration
- **REST_USE_JWT** - Enable JWT Authentication instead of Token/Session based. This is built on top of djangorestframework-simplejwt https://github.com/SimpleJWT/django-rest-framework-simplejwt, which must also be installed. (default: False) - **REST_USE_JWT** - Enable JWT Authentication instead of Token/Session based. This is built on top of djangorestframework-simplejwt https://github.com/SimpleJWT/django-rest-framework-simplejwt, which must also be installed. (default: False)
- **JWT_AUTH_COOKIE** - The cookie name/key. - **JWT_AUTH_COOKIE** - The cookie name/key.
- **JWT_AUTH_SECURE** - If you want the cookie to be only sent to the server when a request is made with the https scheme (default: False).
- **JWT_AUTH_HTTPONLY** - If you want to prevent client-side JavaScript from having access to the cookie (default: True).
- **JWT_AUTH_SAMESITE** - To tell the browser not to send this cookie when performing a cross-origin request (default: 'Lax'). SameSite isnt supported by all browsers.
- **OLD_PASSWORD_FIELD_ENABLED** - set it to True if you want to have old password verification on password change enpoint (default: False) - **OLD_PASSWORD_FIELD_ENABLED** - set it to True if you want to have old password verification on password change enpoint (default: False)
- **LOGOUT_ON_PASSWORD_CHANGE** - set to False if you want to keep the current user logged in after a password change - **LOGOUT_ON_PASSWORD_CHANGE** - set to False if you want to keep the current user logged in after a password change