Skip to content

Commit

Permalink
root: remove custom CSRF middleware
Browse files Browse the repository at this point in the history
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
  • Loading branch information
BeryJu committed Oct 21, 2024
1 parent 78b554b commit 0abe4ec
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 29 deletions.
29 changes: 3 additions & 26 deletions authentik/root/middleware.py
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,6 @@
from django.contrib.sessions.middleware import SessionMiddleware as UpstreamSessionMiddleware
from django.http.request import HttpRequest
from django.http.response import HttpResponse, HttpResponseServerError
from django.middleware.csrf import CSRF_SESSION_KEY
from django.middleware.csrf import CsrfViewMiddleware as UpstreamCsrfViewMiddleware
from django.utils.cache import patch_vary_headers
from django.utils.http import http_date
from jwt import PyJWTError, decode, encode
Expand All @@ -41,7 +39,9 @@ def is_secure(request: HttpRequest) -> bool:
# Since go does not consider localhost with http a secure origin
# we can't set the secure flag.
user_agent = request.META.get("HTTP_USER_AGENT", "")
if user_agent.startswith("goauthentik.io/outpost/") or "safari" in user_agent.lower():
if user_agent.startswith("goauthentik.io/outpost/") or (

Check warning on line 42 in authentik/root/middleware.py

View check run for this annotation

Codecov / codecov/patch

authentik/root/middleware.py#L42

Added line #L42 was not covered by tests
"safari" in user_agent.lower() and "chrome" not in user_agent.lower()
):
return False
return True
return False
Expand Down Expand Up @@ -137,29 +137,6 @@ def process_response(self, request: HttpRequest, response: HttpResponse) -> Http
return response


class CsrfViewMiddleware(UpstreamCsrfViewMiddleware):
"""Dynamically set secure depending if the upstream connection is TLS or not"""

def _set_csrf_cookie(self, request: HttpRequest, response: HttpResponse):
if settings.CSRF_USE_SESSIONS:
if request.session.get(CSRF_SESSION_KEY) != request.META["CSRF_COOKIE"]:
request.session[CSRF_SESSION_KEY] = request.META["CSRF_COOKIE"]
else:
secure = SessionMiddleware.is_secure(request)
response.set_cookie(
settings.CSRF_COOKIE_NAME,
request.META["CSRF_COOKIE"],
max_age=settings.CSRF_COOKIE_AGE,
domain=settings.CSRF_COOKIE_DOMAIN,
path=settings.CSRF_COOKIE_PATH,
secure=secure,
httponly=settings.CSRF_COOKIE_HTTPONLY,
samesite=settings.CSRF_COOKIE_SAMESITE,
)
# Set the Vary header since content varies with the CSRF cookie.
patch_vary_headers(response, ("Cookie",))


class ClientIPMiddleware:
"""Set a "known-good" client IP on the request, by default based off of x-forwarded-for
which is set by the go proxy, but also allowing the remote IP to be overridden by an outpost
Expand Down
5 changes: 2 additions & 3 deletions authentik/root/settings.py
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@

CSRF_COOKIE_NAME = "authentik_csrf"
CSRF_HEADER_NAME = "HTTP_X_AUTHENTIK_CSRF"
CSRF_COOKIE_SECURE = True
LANGUAGE_COOKIE_NAME = "authentik_language"
SESSION_COOKIE_NAME = "authentik_session"
SESSION_COOKIE_DOMAIN = CONFIG.get("cookie_domain", None)
Expand Down Expand Up @@ -251,7 +252,7 @@
"authentik.events.middleware.AuditMiddleware",
"django.middleware.security.SecurityMiddleware",
"django.middleware.common.CommonMiddleware",
"authentik.root.middleware.CsrfViewMiddleware",
"django.middleware.csrf.CsrfViewMiddleware",
"django.contrib.messages.middleware.MessageMiddleware",
"django.middleware.clickjacking.XFrameOptionsMiddleware",
"authentik.core.middleware.ImpersonateMiddleware",
Expand Down Expand Up @@ -488,8 +489,6 @@
]

SILENCED_SYSTEM_CHECKS = [
# We use our own subclass of django.middleware.csrf.CsrfViewMiddleware
"security.W003",
# We don't set SESSION_COOKIE_SECURE since we use a custom SessionMiddleware subclass
"security.W010",
# HSTS: This is configured in reverse proxies/the go proxy, not in django
Expand Down

0 comments on commit 0abe4ec

Please sign in to comment.