Skip to content

Make CSRF cookie and header names configuration based on django settings #585

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Make CSRF cookie and header names configuration based on django settings #585

wants to merge 1 commit into from

Conversation

BobReid
Copy link

@BobReid BobReid commented Feb 20, 2019

Issue:

Django allows the the CSRF cookie and header to be configured through the use of settings variables. graphene-django's implementation if GraphIQL does not respect these settings which causes a CSRF failure.

Fix:
This PR fixes the issue by reading the values from the django settings values and uses them in the graphiql template.

Repro:

  1. create graphene-django project
  2. set django setting CSRF_COOKIE_NAME and CSRF_HEADER_NAME to non standard values
  3. Launch graphiql

Expected:
GraphIQL works as expected (request / response pass and scheme can be inspected)

Actual:
403 status' are returned due to a CSRF failure

@coveralls
Copy link

Coverage Status

Coverage increased (+0.03%) to 94.547% when pulling c8db1fe on GetResQ:make_csrf_token_configurable into f76f38e on graphql-python:master.

@dulmandakh
Copy link
Contributor

@BobReid hey, could you please rebase or resolve the conflicts. I would like to test and review your changes. Thank you

@stale
Copy link

stale bot commented Jul 21, 2019

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the wontfix label Jul 21, 2019
@jkimbo jkimbo removed the wontfix label Jul 25, 2019
@BobReid
Copy link
Author

BobReid commented Aug 8, 2019

@dulmandakh

I was going to rebase these changes but it looks like the GraphIQL javascript has been extracted from the html template and placed into a static file. This refactor is incompatible with my approach because I was relying on running the javascript through the templating engine in order to set the header name dynamically.

I could stuff the header name in a global JS variable in the html template and read it in the GraphIQL script. It is ugly but would work.

Thoughts?

@allen-munsch allen-munsch mentioned this pull request Sep 24, 2019
Closed
@stale
Copy link

stale bot commented Oct 7, 2019

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the wontfix label Oct 7, 2019
@stale stale bot closed this Oct 14, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

wontfix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@BobReid @coveralls @dulmandakh @jkimbo