Merge pull request #1566 from open-zaak/sjoerdie-feature/csrf-trusted…

…-origins-var Sjoerdie feature/csrf trusted origins var
open-zaak · Feb 2, 2024 · db555f7 · db555f7
2 parents 33db8be + d0c1681
commit db555f7
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 4 deletions.
diff --git a/docs/installation/reference/logging.rst b/docs/installation/reference/logging.rst
@@ -39,7 +39,7 @@ of the error are sent to the Sentry project, with context.
     the request context.
 
 For documentation on how to set up a project in Sentry, please refer to the official
-`documentation`_ (make sure to follow the instructions for the platform Python > Django).
+documentation (make sure to follow the instructions for the platform Python > Django).
 
 After setting up the project, you will receive a **DSN**, which is the URL to which
 exceptions will be sent (e.g. https://e95a42137e6042c59d19376e566f027a@sentry.openzaak.nl/104).
@@ -48,7 +48,6 @@ The created Sentry project can be linked to Open Zaak by setting the environment
 variable ``SENTRY_DSN`` equal to this DSN.
 
 .. _`Sentry`: https://sentry.io/
-.. _`documentation`: https://docs.sentry.io/guides/getting-started/
 
 
 Viewing nginx logs

diff --git a/src/openzaak/conf/includes/base.py b/src/openzaak/conf/includes/base.py
@@ -13,7 +13,7 @@
 
 from ...utils.monitoring import filter_sensitive_data
 from .api import *  # noqa
-from .environ import config, get_sentry_integrations
+from .environ import config, get_sentry_integrations, strip_protocol_from_origin
 from .plugins import PLUGIN_INSTALLED_APPS
 
 # Build paths inside the project, so further paths can be defined relative to
@@ -604,7 +604,16 @@
 # Django's SESSION_COOKIE_SAMESITE = "Lax" prevents session cookies from being sent
 # cross-domain. There is no need for these cookies to be sent, since the API itself
 # uses Bearer Authentication.
-
+# we can't easily derive this from django-cors-headers, see also
+# https://pypi.org/project/django-cors-headers/#csrf-integration
+#
+# So we do a best effort attempt at re-using configuration parameters, with an escape
+# hatch to override it.
+CSRF_TRUSTED_ORIGINS = config(
+    "CSRF_TRUSTED_ORIGINS",
+    split=True,
+    default=[strip_protocol_from_origin(origin) for origin in CORS_ALLOWED_ORIGINS],
+)
 #
 # DJANGO-PRIVATES -- safely serve files after authorization
 #

diff --git a/src/openzaak/conf/includes/environ.py b/src/openzaak/conf/includes/environ.py
@@ -1,5 +1,7 @@
 # SPDX-License-Identifier: EUPL-1.2
 # Copyright (C) 2019 - 2020 Dimpact
+from urllib.parse import urlparse
+
 from decouple import Csv, config as _config, undefined
 from sentry_sdk.integrations import DidNotEnable, django, redis
 
@@ -34,3 +36,8 @@ def get_sentry_integrations() -> list:
         extra.append(celery.CeleryIntegration())
 
     return [*default, *extra]
+
+
+def strip_protocol_from_origin(origin: str) -> str:
+    parsed = urlparse(origin)
+    return parsed.netloc