Merge pull request #94 from chrsz/feature/jwt_secure_samesite

Added other optionals settings variables to JWT cookie
This commit is contained in:
Michael 2020-06-20 13:14:12 -05:00 committed by GitHub
commit 9dbbef4640
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 13 additions and 2 deletions

3
.gitignore vendored
View File

@ -108,3 +108,6 @@ venv.bak/
.mypy_cache/
demo/react-spa/node_modules/
demo/react-spa/yarn.lock
# Visual Studio Code
.vscode/

View File

@ -86,6 +86,9 @@ class LoginView(GenericAPIView):
response = Response(serializer.data, status=status.HTTP_200_OK)
if getattr(settings, 'REST_USE_JWT', False):
cookie_name = getattr(settings, 'JWT_AUTH_COOKIE', None)
cookie_secure = getattr(settings, 'JWT_AUTH_SECURE', False)
cookie_httponly = getattr(settings, 'JWT_AUTH_HTTPONLY', True)
cookie_samesite = getattr(settings, 'JWT_AUTH_SAMESITE', 'Lax')
from rest_framework_simplejwt.settings import api_settings as jwt_settings
if cookie_name:
from datetime import datetime
@ -94,7 +97,9 @@ class LoginView(GenericAPIView):
cookie_name,
self.access_token,
expires=expiration,
httponly=True
secure=cookie_secure,
httponly=cookie_httponly,
samesite=cookie_samesite
)
return response

View File

@ -48,6 +48,9 @@ Configuration
- **REST_USE_JWT** - Enable JWT Authentication instead of Token/Session based. This is built on top of djangorestframework-simplejwt https://github.com/SimpleJWT/django-rest-framework-simplejwt, which must also be installed. (default: False)
- **JWT_AUTH_COOKIE** - The cookie name/key.
- **JWT_AUTH_SECURE** - If you want the cookie to be only sent to the server when a request is made with the https scheme (default: False).
- **JWT_AUTH_HTTPONLY** - If you want to prevent client-side JavaScript from having access to the cookie (default: True).
- **JWT_AUTH_SAMESITE** - To tell the browser not to send this cookie when performing a cross-origin request (default: 'Lax'). SameSite isnt supported by all browsers.
- **OLD_PASSWORD_FIELD_ENABLED** - set it to True if you want to have old password verification on password change enpoint (default: False)
- **LOGOUT_ON_PASSWORD_CHANGE** - set to False if you want to keep the current user logged in after a password change