root: set samesite for csrf cookie

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-01-12 23:14:14 +01:00 · 2022-01-12 23:14:14 +01:00 · ed84fe0b8d
parent 1ee603403e
commit ed84fe0b8d
2 changed files with 16 additions and 1 deletions
--- a/authentik/root/settings.py
+++ b/authentik/root/settings.py
@ -75,6 +75,7 @@ AUTH_USER_MODEL = "authentik_core.User"
 _cookie_suffix = "_debug" if DEBUG else ""
 CSRF_COOKIE_NAME = "authentik_csrf"
 CSRF_COOKIE_SAMESITE = None
 LANGUAGE_COOKIE_NAME = f"authentik_language{_cookie_suffix}"
 SESSION_COOKIE_NAME = f"authentik_session{_cookie_suffix}"
 SESSION_COOKIE_DOMAIN = CONFIG.y("cookie_domain", None)
--- a/web/src/api/Config.ts
+++ b/web/src/api/Config.ts
@ -50,13 +50,27 @@ export function tenant(): Promise<CurrentTenant> {
    return globalTenantPromise;
 }
 let csrfToken = getCookie("authentik_csrf");
 export class CSRFUpdaterMiddleware implements Middleware {
    post?(context: ResponseContext): Promise<Response | void> {
        const newCsrf = getCookie("authentik_csrf");
        if (newCsrf !== csrfToken) {
            console.log("authentik/api: rotated CSRF token");
            csrfToken = newCsrf;
        }
        return Promise.resolve(context.response);
    }
 }
 export const DEFAULT_CONFIG = new Configuration({
    basePath: process.env.AK_API_BASE_PATH + "/api/v3",
    headers: {
-        "X-CSRFToken": getCookie("authentik_csrf"),
+        "X-CSRFToken": csrfToken,
        "sentry-trace": getMetaContent("sentry-trace") || "",
    },
    middleware: [
        new CSRFUpdaterMiddleware(),
        new APIMiddleware(),
        new MessageMiddleware(),
        new LoggingMiddleware(),