From 5887073b79cfee91be928302b6ab22058a3c01d5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rapha=C3=ABl=20Bournhonesque?=
 <raphael0202@users.noreply.github.com>
Date: Wed, 27 Nov 2024 09:43:23 +0100
Subject: [PATCH] fix: fix CSRF configuration (#581)

---
 .env                                   | 2 ++
 .github/workflows/container-deploy.yml | 3 +++
 .gitignore                             | 3 +++
 config/settings.py                     | 3 +++
 docker-compose.yml                     | 1 +
 5 files changed, 12 insertions(+)

diff --git a/.env b/.env
index b35aaf92..3cc38d57 100644
--- a/.env
+++ b/.env
@@ -11,6 +11,8 @@ TAG=latest
 
 ALLOWED_HOSTS=localhost,127.0.0.1
 
+CSRF_TRUSTED_ORIGINS=http://localhost:8000
+
 API_PORT=127.0.0.1:8000
 
 # authentication server
diff --git a/.github/workflows/container-deploy.yml b/.github/workflows/container-deploy.yml
index ac7a9a6d..732d69ec 100644
--- a/.github/workflows/container-deploy.yml
+++ b/.github/workflows/container-deploy.yml
@@ -37,11 +37,13 @@ jobs:
       run: |
         echo "SSH_HOST=10.1.0.200" >> $GITHUB_ENV
         echo "ENVIRONMENT=net" >> $GITHUB_ENV
+        echo "CSRF_TRUSTED_ORIGINS=https://prices.openfoodfacts.net" >> $GITHUB_ENV
     - name: Set various variable for production deployment
       if: matrix.env == 'open-prices-org'
       run: |
         echo "SSH_HOST=10.1.0.201" >> $GITHUB_ENV
         echo "ENVIRONMENT=org" >> $GITHUB_ENV
+        echo "CSRF_TRUSTED_ORIGINS=https://prices.openfoodfacts.org" >> $GITHUB_ENV
     - name: Wait for docker image container build workflow
       uses: tomchv/wait-my-workflow@v1.1.0
       id: wait-build
@@ -117,6 +119,7 @@ jobs:
           echo "API_PORT=8190" >> .env
           echo "DEBUG=False" >> .env
           echo 'ALLOWED_HOSTS=openfoodfacts-explorer.vercel.app,prices.openfoodfacts.net,prices.openfoodfacts.org' >> .env
+          echo "CSRF_TRUSTED_ORIGINS=${{ env.CSRF_TRUSTED_ORIGINS }}" >> .env
           echo "OAUTH2_SERVER_URL=https://world.openfoodfacts.org/cgi/auth.pl" >> .env
           echo "SECRET_KEY=${{ secrets.DJANGO_SECRET_KEY }}" >> .env
           echo "SENTRY_DSN=${{ secrets.SENTRY_DSN }}" >> .env
diff --git a/.gitignore b/.gitignore
index f76b1ded..3461b390 100644
--- a/.gitignore
+++ b/.gitignore
@@ -141,4 +141,7 @@ dmypy.json
 
 www/app
 www/img/*/*
+www/static/admin
+www/static/django_extensions
+www/static/rest_framework
 gh_pages
diff --git a/config/settings.py b/config/settings.py
index 9f88321e..5d330388 100644
--- a/config/settings.py
+++ b/config/settings.py
@@ -20,6 +20,9 @@
 
 ALLOWED_HOSTS = [x.strip() for x in os.getenv("ALLOWED_HOSTS", "").split(",")]
 
+# CSRF trusted origins is only used for admin interface, as the rest of
+# front-end is using Vue.js and Django REST Framework
+CSRF_TRUSTED_ORIGINS = os.getenv("CSRF_TRUSTED_ORIGINS", "").split(",")
 
 # App config
 # ------------------------------------------------------------------------------
diff --git a/docker-compose.yml b/docker-compose.yml
index a53fe3b4..9c930324 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -10,6 +10,7 @@ x-api-common: &api-common
     - SECRET_KEY
     - DEBUG
     - ALLOWED_HOSTS
+    - CSRF_TRUSTED_ORIGINS
     - OAUTH2_SERVER_URL
     - SENTRY_DSN
     - LOG_LEVEL