From 0abe4ec0ac8679fdd60e16d135f7745693a9962c Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Mon, 21 Oct 2024 13:19:59 +0200 Subject: [PATCH] root: remove custom CSRF middleware Signed-off-by: Jens Langhammer --- authentik/root/middleware.py | 29 +++-------------------------- authentik/root/settings.py | 5 ++--- 2 files changed, 5 insertions(+), 29 deletions(-) diff --git a/authentik/root/middleware.py b/authentik/root/middleware.py index 05f269e443f1..4e5c6627fcf7 100644 --- a/authentik/root/middleware.py +++ b/authentik/root/middleware.py @@ -13,8 +13,6 @@ from django.contrib.sessions.middleware import SessionMiddleware as UpstreamSessionMiddleware from django.http.request import HttpRequest from django.http.response import HttpResponse, HttpResponseServerError -from django.middleware.csrf import CSRF_SESSION_KEY -from django.middleware.csrf import CsrfViewMiddleware as UpstreamCsrfViewMiddleware from django.utils.cache import patch_vary_headers from django.utils.http import http_date from jwt import PyJWTError, decode, encode @@ -41,7 +39,9 @@ def is_secure(request: HttpRequest) -> bool: # Since go does not consider localhost with http a secure origin # we can't set the secure flag. user_agent = request.META.get("HTTP_USER_AGENT", "") - if user_agent.startswith("goauthentik.io/outpost/") or "safari" in user_agent.lower(): + if user_agent.startswith("goauthentik.io/outpost/") or ( + "safari" in user_agent.lower() and "chrome" not in user_agent.lower() + ): return False return True return False @@ -137,29 +137,6 @@ def process_response(self, request: HttpRequest, response: HttpResponse) -> Http return response -class CsrfViewMiddleware(UpstreamCsrfViewMiddleware): - """Dynamically set secure depending if the upstream connection is TLS or not""" - - def _set_csrf_cookie(self, request: HttpRequest, response: HttpResponse): - if settings.CSRF_USE_SESSIONS: - if request.session.get(CSRF_SESSION_KEY) != request.META["CSRF_COOKIE"]: - request.session[CSRF_SESSION_KEY] = request.META["CSRF_COOKIE"] - else: - secure = SessionMiddleware.is_secure(request) - response.set_cookie( - settings.CSRF_COOKIE_NAME, - request.META["CSRF_COOKIE"], - max_age=settings.CSRF_COOKIE_AGE, - domain=settings.CSRF_COOKIE_DOMAIN, - path=settings.CSRF_COOKIE_PATH, - secure=secure, - httponly=settings.CSRF_COOKIE_HTTPONLY, - samesite=settings.CSRF_COOKIE_SAMESITE, - ) - # Set the Vary header since content varies with the CSRF cookie. - patch_vary_headers(response, ("Cookie",)) - - class ClientIPMiddleware: """Set a "known-good" client IP on the request, by default based off of x-forwarded-for which is set by the go proxy, but also allowing the remote IP to be overridden by an outpost diff --git a/authentik/root/settings.py b/authentik/root/settings.py index 8b3c7666b3cf..fb3710c1cae4 100644 --- a/authentik/root/settings.py +++ b/authentik/root/settings.py @@ -34,6 +34,7 @@ CSRF_COOKIE_NAME = "authentik_csrf" CSRF_HEADER_NAME = "HTTP_X_AUTHENTIK_CSRF" +CSRF_COOKIE_SECURE = True LANGUAGE_COOKIE_NAME = "authentik_language" SESSION_COOKIE_NAME = "authentik_session" SESSION_COOKIE_DOMAIN = CONFIG.get("cookie_domain", None) @@ -251,7 +252,7 @@ "authentik.events.middleware.AuditMiddleware", "django.middleware.security.SecurityMiddleware", "django.middleware.common.CommonMiddleware", - "authentik.root.middleware.CsrfViewMiddleware", + "django.middleware.csrf.CsrfViewMiddleware", "django.contrib.messages.middleware.MessageMiddleware", "django.middleware.clickjacking.XFrameOptionsMiddleware", "authentik.core.middleware.ImpersonateMiddleware", @@ -488,8 +489,6 @@ ] SILENCED_SYSTEM_CHECKS = [ - # We use our own subclass of django.middleware.csrf.CsrfViewMiddleware - "security.W003", # We don't set SESSION_COOKIE_SECURE since we use a custom SessionMiddleware subclass "security.W010", # HSTS: This is configured in reverse proxies/the go proxy, not in django