Fix GUI service CSRF issues in development.

NOAA-OWP · Aug 13, 2024 · f3b57c0 · f3b57c0
1 parent 7c3144b
commit f3b57c0
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 0 deletions.
diff --git a/docker/nwm_gui/docker-compose.yml b/docker/nwm_gui/docker-compose.yml
@@ -63,6 +63,9 @@ services:
       - SQL_PORT=5432
       - DATABASE=postgres
       - DOCKER_SECRET_POSTGRES_PASS=postgres_password
+      - DEBUG=${DOCKER_GUI_DEV_MODE:-true}
+      # Should be a comma-delimited string if needing more than one
+      - TRUSTED_ORIGINS=${DOCKER_GUI_TRUSTED_ORIGINS:-http://127.0.0.1:${DOCKER_GUI_WEB_SERVER_HOST_PORT:-8081}}
     volumes:
       - ${DMOD_APP_STATIC:?}:/usr/maas_portal/static
       - ${DMOD_SSL_DIR}/request-service:/usr/maas_portal/ssl

diff --git a/python/gui/maas_experiment/settings.py b/python/gui/maas_experiment/settings.py
@@ -1,6 +1,7 @@
 """
 Django settings for maas_experiment project
 """
+import os
 
 from .application_values import *
 from .logging import *
@@ -34,6 +35,8 @@
 # packet sniffer and use the cookie to hijack the user’s session.
 SESSION_COOKIE_SECURE = not DEBUG
 
+CSRF_TRUSTED_ORIGINS = os.environ.get('TRUSTED_ORIGINS', '').split(',')
+
 # Whether to use a secure cookie for the CSRF cookie. If this is set to True, the cookie will be marked as “secure”,
 # which means browsers may ensure that the cookie is only sent with an HTTPS connection.
 CSRF_COOKIE_SECURE = not DEBUG