fix: fix CSRF configuration (#581)

openfoodfacts · Nov 27, 2024 · 5887073 · 5887073
1 parent 1a59b1e
commit 5887073
Show file tree

Hide file tree

Showing 5 changed files with 12 additions and 0 deletions.
diff --git a/.env b/.env
@@ -11,6 +11,8 @@ TAG=latest
 
 ALLOWED_HOSTS=localhost,127.0.0.1
 
+CSRF_TRUSTED_ORIGINS=http://localhost:8000
+
 API_PORT=127.0.0.1:8000
 
 # authentication server

diff --git a/.github/workflows/container-deploy.yml b/.github/workflows/container-deploy.yml
@@ -37,11 +37,13 @@ jobs:
       run: |
         echo "SSH_HOST=10.1.0.200" >> $GITHUB_ENV
         echo "ENVIRONMENT=net" >> $GITHUB_ENV
+        echo "CSRF_TRUSTED_ORIGINS=https://prices.openfoodfacts.net" >> $GITHUB_ENV
     - name: Set various variable for production deployment
       if: matrix.env == 'open-prices-org'
       run: |
         echo "SSH_HOST=10.1.0.201" >> $GITHUB_ENV
         echo "ENVIRONMENT=org" >> $GITHUB_ENV
+        echo "CSRF_TRUSTED_ORIGINS=https://prices.openfoodfacts.org" >> $GITHUB_ENV
     - name: Wait for docker image container build workflow
       uses: tomchv/wait-my-workflow@v1.1.0
       id: wait-build
@@ -117,6 +119,7 @@ jobs:
           echo "API_PORT=8190" >> .env
           echo "DEBUG=False" >> .env
           echo 'ALLOWED_HOSTS=openfoodfacts-explorer.vercel.app,prices.openfoodfacts.net,prices.openfoodfacts.org' >> .env
+          echo "CSRF_TRUSTED_ORIGINS=${{ env.CSRF_TRUSTED_ORIGINS }}" >> .env
           echo "OAUTH2_SERVER_URL=https://world.openfoodfacts.org/cgi/auth.pl" >> .env
           echo "SECRET_KEY=${{ secrets.DJANGO_SECRET_KEY }}" >> .env
           echo "SENTRY_DSN=${{ secrets.SENTRY_DSN }}" >> .env

diff --git a/.gitignore b/.gitignore
@@ -141,4 +141,7 @@ dmypy.json
 
 www/app
 www/img/*/*
+www/static/admin
+www/static/django_extensions
+www/static/rest_framework
 gh_pages
diff --git a/config/settings.py b/config/settings.py
@@ -20,6 +20,9 @@
 
 ALLOWED_HOSTS = [x.strip() for x in os.getenv("ALLOWED_HOSTS", "").split(",")]
 
+# CSRF trusted origins is only used for admin interface, as the rest of
+# front-end is using Vue.js and Django REST Framework
+CSRF_TRUSTED_ORIGINS = os.getenv("CSRF_TRUSTED_ORIGINS", "").split(",")
 
 # App config
 # ------------------------------------------------------------------------------

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -10,6 +10,7 @@ x-api-common: &api-common
     - SECRET_KEY
     - DEBUG
     - ALLOWED_HOSTS
+    - CSRF_TRUSTED_ORIGINS
     - OAUTH2_SERVER_URL
     - SENTRY_DSN
     - LOG_LEVEL