Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Question: how to deal with CSRF token expiry/invalidation? #270

Closed
SHxKM opened this issue Sep 16, 2022 · 6 comments
Closed

Question: how to deal with CSRF token expiry/invalidation? #270

SHxKM opened this issue Sep 16, 2022 · 6 comments

Comments

@SHxKM
Copy link

SHxKM commented Sep 16, 2022
edited
Loading

Python Version

No response

Django Version

No response

Package Version

No response

Description

This is more a question more than anything, maybe it’s worth opening a Discussions tab here?

Scenario:

Logged in. Two tabs open. One has the form on it. On the second, user logs out, and the link back in. Tab 1’s CSRF token is now invalid. Now user goes to tab 1 and submits the form.

How do I handle this with HTMX? Right now I’m returning the form and replacing it with hx-swap, but when the above scenario occurs - the form gets swapped with the whole layout and the CSRF error view that handles this scenario.

So given that the form view is not eve called and it's not another “form invalid” kind of error, what’s the most HTMXy way to handle this?
@SHxKM SHxKM changed the title Question: how to deal with CSRF token expiry? Question: how to deal with CSRF token expiry/invalidation? Sep 16, 2022
@SHxKM
Copy link
Author

SHxKM commented Sep 16, 2022
edited
Loading

Of course the solution is to extract a partial and inside the CSRF failed view, return the partial (not the whole layout) if request.htmx.

@SHxKM SHxKM closed this as completed Sep 16, 2022
@adamchainz
Copy link
Owner

You could also use OOB to inject a banner or whatever

Would you like to add a section to the tips docs?

@SHxKM
Copy link
Author

SHxKM commented Sep 16, 2022

I’d be glad to give a little back.

under which section this would go though? CSRF invalidation seems a bit too specific..my solution above is already covered by your “partials” examples. Are you talking specifically about OOB updates?

@adamchainz
Copy link
Owner

I'd suggest a new section called “CSRF invalidation” in the “tips” section. We could try to cover a custom CSRF failure view with a request.htmx branch, and options for implementation, such as:

  1. send a client redirect response to login page
  2. trigger a client event
  3. send an OOB banner to tell the user the problem with a link to reload.

What do you think?

@SHxKM
Copy link
Author

SHxKM commented Sep 18, 2022

I'd suggest a new section called “CSRF invalidation” in the “tips” section. We could try to cover a custom CSRF failure view with a request.htmx branch, and options for implementation, such as:

  1. send a client redirect response to login page
  2. trigger a client event
  3. send an OOB banner to tell the user the problem with a link to reload.

What do you think?

That's a good idea. I'll do my best to get to this by the weekend.

@SHxKM
Copy link
Author

SHxKM commented Sep 24, 2022

I'd suggest a new section called “CSRF invalidation” in the “tips” section. We could try to cover a custom CSRF failure view with a request.htmx branch, and options for implementation, such as:

  1. send a client redirect response to login page
  2. trigger a client event
  3. send an OOB banner to tell the user the problem with a link to reload.

What do you think?

That's a good idea. I'll do my best to get to this by the weekend.

Won’t have time for this in the next two weeks unfortunately. But it’s on my TODO right after that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@adamchainz @SHxKM