root: set samesite for csrf cookie

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens Langhammer 2022-01-12 23:14:14 +01:00
parent 1ee603403e
commit ed84fe0b8d
2 changed files with 16 additions and 1 deletions

View File

@ -75,6 +75,7 @@ AUTH_USER_MODEL = "authentik_core.User"
_cookie_suffix = "_debug" if DEBUG else "" _cookie_suffix = "_debug" if DEBUG else ""
CSRF_COOKIE_NAME = "authentik_csrf" CSRF_COOKIE_NAME = "authentik_csrf"
CSRF_COOKIE_SAMESITE = None
LANGUAGE_COOKIE_NAME = f"authentik_language{_cookie_suffix}" LANGUAGE_COOKIE_NAME = f"authentik_language{_cookie_suffix}"
SESSION_COOKIE_NAME = f"authentik_session{_cookie_suffix}" SESSION_COOKIE_NAME = f"authentik_session{_cookie_suffix}"
SESSION_COOKIE_DOMAIN = CONFIG.y("cookie_domain", None) SESSION_COOKIE_DOMAIN = CONFIG.y("cookie_domain", None)

View File

@ -50,13 +50,27 @@ export function tenant(): Promise<CurrentTenant> {
return globalTenantPromise; return globalTenantPromise;
} }
let csrfToken = getCookie("authentik_csrf");
export class CSRFUpdaterMiddleware implements Middleware {
post?(context: ResponseContext): Promise<Response | void> {
const newCsrf = getCookie("authentik_csrf");
if (newCsrf !== csrfToken) {
console.log("authentik/api: rotated CSRF token");
csrfToken = newCsrf;
}
return Promise.resolve(context.response);
}
}
export const DEFAULT_CONFIG = new Configuration({ export const DEFAULT_CONFIG = new Configuration({
basePath: process.env.AK_API_BASE_PATH + "/api/v3", basePath: process.env.AK_API_BASE_PATH + "/api/v3",
headers: { headers: {
"X-CSRFToken": getCookie("authentik_csrf"), "X-CSRFToken": csrfToken,
"sentry-trace": getMetaContent("sentry-trace") || "", "sentry-trace": getMetaContent("sentry-trace") || "",
}, },
middleware: [ middleware: [
new CSRFUpdaterMiddleware(),
new APIMiddleware(), new APIMiddleware(),
new MessageMiddleware(), new MessageMiddleware(),
new LoggingMiddleware(), new LoggingMiddleware(),