From 860a3c3007cdf7c6e9b9e05a48e412ac360a588f Mon Sep 17 00:00:00 2001 From: Robert Bartel Date: Tue, 13 Aug 2024 15:39:38 -0400 Subject: [PATCH] Fix GUI service CSRF issues in development. --- docker/nwm_gui/docker-compose.yml | 3 +++ python/gui/maas_experiment/settings.py | 3 +++ 2 files changed, 6 insertions(+) diff --git a/docker/nwm_gui/docker-compose.yml b/docker/nwm_gui/docker-compose.yml index d2455a6e9..9dfe329d5 100644 --- a/docker/nwm_gui/docker-compose.yml +++ b/docker/nwm_gui/docker-compose.yml @@ -63,6 +63,9 @@ services: - SQL_PORT=5432 - DATABASE=postgres - DOCKER_SECRET_POSTGRES_PASS=postgres_password + - DEBUG=${DOCKER_GUI_DEV_MODE:-true} + # Should be a comma-delimited string if needing more than one + - TRUSTED_ORIGINS=${DOCKER_GUI_TRUSTED_ORIGINS:-http://127.0.0.1:${DOCKER_GUI_WEB_SERVER_HOST_PORT:-8081}} volumes: - ${DMOD_APP_STATIC:?}:/usr/maas_portal/static - ${DMOD_SSL_DIR}/request-service:/usr/maas_portal/ssl diff --git a/python/gui/maas_experiment/settings.py b/python/gui/maas_experiment/settings.py index 589b5e444..1c1b83e55 100644 --- a/python/gui/maas_experiment/settings.py +++ b/python/gui/maas_experiment/settings.py @@ -1,6 +1,7 @@ """ Django settings for maas_experiment project """ +import os from .application_values import * from .logging import * @@ -34,6 +35,8 @@ # packet sniffer and use the cookie to hijack the user’s session. SESSION_COOKIE_SECURE = not DEBUG +CSRF_TRUSTED_ORIGINS = os.environ.get('TRUSTED_ORIGINS', '').split(',') + # Whether to use a secure cookie for the CSRF cookie. If this is set to True, the cookie will be marked as “secure”, # which means browsers may ensure that the cookie is only sent with an HTTPS connection. CSRF_COOKIE_SECURE = not DEBUG