Merge pull request #94 from chrsz/feature/jwt_secure_samesite

Added other optionals settings variables to JWT cookie
2025-11-04 09:37:35 +03:00 · 2020-06-20 13:14:12 -05:00 · 2020-06-20 13:14:12 -05:00 · 9dbbef4640
commit 9dbbef4640
parent b79426533b f05abda5b0
3 changed files with 13 additions and 2 deletions
--- a/.gitignore
+++ b/.gitignore
@ -108,3 +108,6 @@ venv.bak/
 .mypy_cache/
 demo/react-spa/node_modules/
 demo/react-spa/yarn.lock
+
+# Visual Studio Code
+.vscode/
--- a/dj_rest_auth/views.py
+++ b/dj_rest_auth/views.py
@ -86,6 +86,9 @@ class LoginView(GenericAPIView):
        response = Response(serializer.data, status=status.HTTP_200_OK)
        if getattr(settings, 'REST_USE_JWT', False):
            cookie_name = getattr(settings, 'JWT_AUTH_COOKIE', None)
+            cookie_secure = getattr(settings, 'JWT_AUTH_SECURE', False)
+            cookie_httponly = getattr(settings, 'JWT_AUTH_HTTPONLY', True)
+            cookie_samesite = getattr(settings, 'JWT_AUTH_SAMESITE', 'Lax')
            from rest_framework_simplejwt.settings import api_settings as jwt_settings
            if cookie_name:
                from datetime import datetime
@ -94,7 +97,9 @@ class LoginView(GenericAPIView):
                    cookie_name,
                    self.access_token,
                    expires=expiration,
-                    httponly=True
+                    secure=cookie_secure,
+                    httponly=cookie_httponly,
+                    samesite=cookie_samesite
                )
        return response

--- a/docs/configuration.rst
+++ b/docs/configuration.rst
@ -48,6 +48,9 @@ Configuration

 - **REST_USE_JWT** - Enable JWT Authentication instead of Token/Session based. This is built on top of djangorestframework-simplejwt https://github.com/SimpleJWT/django-rest-framework-simplejwt, which must also be installed. (default: False)
 - **JWT_AUTH_COOKIE** - The cookie name/key.
+- **JWT_AUTH_SECURE** - If you want the cookie to be only sent to the server when a request is made with the https scheme (default: False).
+- **JWT_AUTH_HTTPONLY** - If you want to prevent client-side JavaScript from having access to the cookie (default: True).
+- **JWT_AUTH_SAMESITE** - To tell the browser not to send this cookie when performing a cross-origin request (default: 'Lax'). SameSite isn’t supported by all browsers.
 - **OLD_PASSWORD_FIELD_ENABLED** - set it to True if you want to have old password verification on password change enpoint (default: False)

 - **LOGOUT_ON_PASSWORD_CHANGE** - set to False if you want to keep the current user logged in after a password change