habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

root: rework CSRF middleware to set secure flag (#11753)

Browse Source 
root: remove custom CSRF middleware

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
Jens L.
2024-10-23 13:59:02 +02:00
committed by GitHub
parent 3c0a8f4641
commit d3ebfcaf2f
3 changed files with 8 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
authentik/core/urls.py
View File

@ -5,7 +5,6 @@ from channels.sessions import CookieMiddleware
from django.conf import settings from django.conf import settings
from django.contrib.auth.decorators import login_required from django.contrib.auth.decorators import login_required
from django.urls import path from django.urls import path
from django.views.decorators.csrf import ensure_csrf_cookie
from authentik.core.api.applications import ApplicationViewSet from authentik.core.api.applications import ApplicationViewSet
from authentik.core.api.authenticated_sessions import AuthenticatedSessionViewSet from authentik.core.api.authenticated_sessions import AuthenticatedSessionViewSet
@ -44,19 +43,19 @@ urlpatterns = [
# Interfaces # Interfaces
path( path(
"if/admin/", "if/admin/",
ensure_csrf_cookie(BrandDefaultRedirectView.as_view(template_name="if/admin.html")), BrandDefaultRedirectView.as_view(template_name="if/admin.html"),
name="if-admin", name="if-admin",
), ),
path( path(
"if/user/", "if/user/",
ensure_csrf_cookie(BrandDefaultRedirectView.as_view(template_name="if/user.html")), BrandDefaultRedirectView.as_view(template_name="if/user.html"),
name="if-user", name="if-user",
), ),
path( path(
"if/flow/<slug:flow_slug>/", "if/flow/<slug:flow_slug>/",
# FIXME: move this url to the flows app...also will cause all # FIXME: move this url to the flows app...also will cause all
# of the reverse calls to be adjusted # of the reverse calls to be adjusted
ensure_csrf_cookie(FlowInterfaceView.as_view()), FlowInterfaceView.as_view(),
name="if-flow", name="if-flow",
), ),
# Fallback for WS # Fallback for WS

5
authentik/enterprise/providers/rac/urls.py
View File

@ -3,7 +3,6 @@
from channels.auth import AuthMiddleware from channels.auth import AuthMiddleware
from channels.sessions import CookieMiddleware from channels.sessions import CookieMiddleware
from django.urls import path from django.urls import path
from django.views.decorators.csrf import ensure_csrf_cookie
from authentik.enterprise.providers.rac.api.connection_tokens import ConnectionTokenViewSet from authentik.enterprise.providers.rac.api.connection_tokens import ConnectionTokenViewSet
from authentik.enterprise.providers.rac.api.endpoints import EndpointViewSet from authentik.enterprise.providers.rac.api.endpoints import EndpointViewSet
@ -19,12 +18,12 @@ from authentik.root.middleware import ChannelsLoggingMiddleware
urlpatterns = [ urlpatterns = [
path( path(
"application/rac/<slug:app>/<uuid:endpoint>/", "application/rac/<slug:app>/<uuid:endpoint>/",
ensure_csrf_cookie(RACStartView.as_view()), RACStartView.as_view(),
name="start", name="start",
), ),
path( path(
"if/rac/<str:token>/", "if/rac/<str:token>/",
ensure_csrf_cookie(RACInterface.as_view()), RACInterface.as_view(),
name="if-rac", name="if-rac",
), ),
] ]

4
authentik/root/middleware.py
View File

@ -41,7 +41,9 @@ class SessionMiddleware(UpstreamSessionMiddleware):
# Since go does not consider localhost with http a secure origin # Since go does not consider localhost with http a secure origin
# we can't set the secure flag. # we can't set the secure flag.
user_agent = request.META.get("HTTP_USER_AGENT", "") user_agent = request.META.get("HTTP_USER_AGENT", "")
if user_agent.startswith("goauthentik.io/outpost/") or "safari" in user_agent.lower(): if user_agent.startswith("goauthentik.io/outpost/") or (
"safari" in user_agent.lower() and "chrome" not in user_agent.lower()
):
return False return False
return True return True
return False return False