From cb09da8b7c8d4d7619e887a52731823b589ba997 Mon Sep 17 00:00:00 2001
From: Erwan Rouchet <rouchet@teklia.com>
Date: Fri, 17 Nov 2023 10:37:58 +0100
Subject: [PATCH] Allow CSRF to a different hostname in dev and Surge builds
---
.env.development | 1 +
package-lock.json | 14 +++++++-------
package.json | 2 +-
src/config.ts | 1 +
src/main.ts | 8 ++++++++
5 files changed, 18 insertions(+), 8 deletions(-)
diff --git a/.env.development b/.env.development
index d3bda7b1a..56d20a1a0 100644
--- a/.env.development
+++ b/.env.development
@@ -1,2 +1,3 @@
VUE_APP_API_BASE_URL=http://localhost:8000/api/v1
VUE_APP_ROUTER_MODE=history
+VUE_APP_CSRF_ALL_ORIGINS=true
diff --git a/package-lock.json b/package-lock.json
index c791f5e32..ff3132a29 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -12,7 +12,7 @@
"@sentry/integrations": "^7.16.0",
"@sentry/vue": "^7.16.0",
"ansi-to-html": "^0.7.2",
- "axios": "^1.4.0",
+ "axios": "^1.6.2",
"bulma": "^0.9.3",
"bulma-switch": "^2.0.0",
"bulma-tooltip": "^3.0.2",
@@ -4949,9 +4949,9 @@
}
},
"node_modules/axios": {
- "version": "1.6.1",
- "resolved": "https://registry.npmjs.org/axios/-/axios-1.6.1.tgz",
- "integrity": "sha512-vfBmhDpKafglh0EldBEbVuoe7DyAavGSLWhuSm5ZSEKQnHhBf0xAAwybbNH1IkrJNGnS/VG4I5yxig1pCEXE4g==",
+ "version": "1.6.2",
+ "resolved": "https://registry.npmjs.org/axios/-/axios-1.6.2.tgz",
+ "integrity": "sha512-7i24Ri4pmDRfJTR7LDBhsOTtcm+9kjX5WiY1X3wIisx6G9So3pfMkEiU7emUBe46oceVImccTEM3k6C5dbVW8A==",
"dependencies": {
"follow-redirects": "^1.15.0",
"form-data": "^4.0.0",
@@ -23215,9 +23215,9 @@
}
},
"axios": {
- "version": "1.6.1",
- "resolved": "https://registry.npmjs.org/axios/-/axios-1.6.1.tgz",
- "integrity": "sha512-vfBmhDpKafglh0EldBEbVuoe7DyAavGSLWhuSm5ZSEKQnHhBf0xAAwybbNH1IkrJNGnS/VG4I5yxig1pCEXE4g==",
+ "version": "1.6.2",
+ "resolved": "https://registry.npmjs.org/axios/-/axios-1.6.2.tgz",
+ "integrity": "sha512-7i24Ri4pmDRfJTR7LDBhsOTtcm+9kjX5WiY1X3wIisx6G9So3pfMkEiU7emUBe46oceVImccTEM3k6C5dbVW8A==",
"requires": {
"follow-redirects": "^1.15.0",
"form-data": "^4.0.0",
diff --git a/package.json b/package.json
index 441f7ed4b..7e69cc5d8 100644
--- a/package.json
+++ b/package.json
@@ -20,7 +20,7 @@
"@sentry/integrations": "^7.16.0",
"@sentry/vue": "^7.16.0",
"ansi-to-html": "^0.7.2",
- "axios": "^1.4.0",
+ "axios": "^1.6.2",
"bulma": "^0.9.3",
"bulma-switch": "^2.0.0",
"bulma-tooltip": "^3.0.2",
diff --git a/src/config.ts b/src/config.ts
index a4c144a3c..33c10175f 100644
--- a/src/config.ts
+++ b/src/config.ts
@@ -34,6 +34,7 @@ export const CSRF_COOKIE_NAME: string = process.env.VUE_APP_CSRF_COOKIE_NAME ||
// Fallback to default value
) || 'arkindex.csrf'
export const CSRF_COOKIE_HEADER = 'X-CSRFToken'
+export const CSRF_ALL_ORIGINS = process.env.VUE_APP_CSRF_ALL_ORIGINS === 'true'
export const VERSION: string | undefined = process.env.VUE_APP_VERSION
export const ROUTER_MODE: string = process.env.VUE_APP_ROUTER_MODE || 'history'
diff --git a/src/main.ts b/src/main.ts
index 9318403bb..7b5031419 100644
--- a/src/main.ts
+++ b/src/main.ts
@@ -7,6 +7,7 @@ import {
API_BASE_URL,
CSRF_COOKIE_NAME,
CSRF_COOKIE_HEADER,
+ CSRF_ALL_ORIGINS,
SENTRY_DSN,
SENTRY_ENVIRONMENT,
UUID,
@@ -35,6 +36,13 @@ axios.defaults.baseURL = API_BASE_URL
axios.defaults.xsrfCookieName = CSRF_COOKIE_NAME
axios.defaults.xsrfHeaderName = CSRF_COOKIE_HEADER
axios.defaults.withCredentials = true
+/*
+ * `false` means no CSRF token is ever sent in any request,
+ * `undefined` means the CSRF token is only sent to the same origin (default),
+ * `true` means the token is sent to everyone.
+ * Dev builds will need `true`, since devs will need to reach localhost:8000 from :8080.
+ */
+axios.defaults.withXSRFToken = CSRF_ALL_ORIGINS ? true : undefined
// Try to ensure we do not get anything other than JSON…
axios.defaults.headers.Accept = 'application/json'
--
GitLab