The current csrftoken parser breaks on multiple crsftokens

[allen-munsch]

Which causes 403 errors.

For example:

Cookie: csrftoken=asdfasd; sessionid=asdfasdf; csrftoken=qwertyqwerty

This can happen when multiple csrftokens for different paths.

[allen-munsch]

related: #585

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[jkimbo]

@allen-munsch can you elaborate more on why there would be multiple csrf tokens set?My understanding is that there should only be 1 token set at any time.

[jkimbo]

There could be other reasons why the GraphQL endpoint doesn't return valid JSON so always assuming it's to do with a csrf token issue doesn't feel right.

[allen-munsch]

@jkimbo see: https://stackoverflow.com/questions/576535/cookie-path-and-its-accessibility-to-subfolder-pages

From what I understand, the cookie sub path /2/m/2 would have both it's subpath cookie and the root path cookie. /.

The two paths have different database multitenancy requirements. It would probably be more accurate to read the cookie path directly, instead of just reading, checking them all?

[jkimbo]

Yes I understand that cookies can have different paths but looking at the Django source code the csrf cookie should be set to a path that is defined in the settings: https://github.com/django/django/blob/5a68f024987e6d16c2626a31bf653a2edddea579/django/middleware/csrf.py#L191

So I don't think it's possible to have 2 csrf cookies at the same time and I'm wondering how that came about?

[allen-munsch]

endpoints per multi tenancy. localhost:8000/:multitenantid/endpoints/here so multiple users can get different csrftoken cookies on a single machine ... it's not the default of django, but it is a real use case.

[jkimbo]

Ah I didn't realise that was possible! Could you not host the graphql endpoint per tenant as well or those that not work?