New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add JWT_AUTH_COOKIE_* settings paralleling django SESSION_COOKIE_* #29
Conversation
d-oh, the |
ce77103
to
d1a5661
Compare
I have added support for Django < 2.1 |
Codecov Report
@@ Coverage Diff @@
## master #29 +/- ##
========================================
- Coverage 100% 99.3% -0.7%
========================================
Files 8 8
Lines 281 289 +8
Branches 28 29 +1
========================================
+ Hits 281 287 +6
- Misses 0 1 +1
- Partials 0 1 +1
Continue to review full report at Codecov.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the pull request 👍
Everything is in order. I've left a few comments for us to discuss for the sake of maintainability.
And please add a changelog.
d1a5661
to
0190aa7
Compare
@fitodic thank you very much for your comprehensive and helpful review. Thank you again |
0190aa7
to
538d7e1
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the changes. Everything is in order, apart from the two new questions regarding minor adjustments.
Once that's all cleared up, I'd be happy to merge it.
We add settings analogous to SESSION_COOKIE_* for the JWT cookie: 'JWT_AUTH_COOKIE_DOMAIN': None 'JWT_AUTH_COOKIE_PATH': '/' 'JWT_AUTH_COOKIE_SECURE': True 'JWT_AUTH_COOKIE_SAMESITE': 'Lax' with the following differences to django: * The HttpOnly attribute remains hardcoded as True in order to avoid unintended access from client code with addition of the Domain attribute. These settings also apply to the recently added impersonation cookie. BREAKING CHANGES with this patch: This changes the default Secure attribute from False to True. Users wishing to use JWT cookies over http (as in no TLS) need to set JWT_AUTH_COOKIE_SECURE to False. This change is intentional to follow common best common practice. CHANGES: Adds the default Samesite attribute 'Lax'
538d7e1
to
543108c
Compare
force pushed |
Thanks for the pull request and the changes. I'll create the new release shortly so you can start using these changes right away. |
We add settings analogous to
SESSION_COOKIE_*
for the JWT cookie:with the following differences to django:
The HttpOnly
attribute remains hardcoded asTrue
in order to avoid unintended access from client code with addition of theDomain
attribute.BREAKING CHANGES with this patch:
This changes the default
Secure
attribute fromFalse
(actuallyNone
as in not present inSet-Cookie
) toTrue
. Users wishing to use JWT cookies over http (as in no TLS) need to setJWT_AUTH_COOKIE_SECURE
toFalse.
This change is intentional to follow common best common practice.
CHANGES:
Adds the default
Samesite
attributeLax