From ed84fe0b8d675ea23e9e2072466db5db10794a50 Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Wed, 12 Jan 2022 23:14:14 +0100 Subject: [PATCH] root: set samesite for csrf cookie Signed-off-by: Jens Langhammer --- authentik/root/settings.py | 1 + web/src/api/Config.ts | 16 +++++++++++++++- 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/authentik/root/settings.py b/authentik/root/settings.py index 0d53962d8..bd21a34e1 100644 --- a/authentik/root/settings.py +++ b/authentik/root/settings.py @@ -75,6 +75,7 @@ AUTH_USER_MODEL = "authentik_core.User" _cookie_suffix = "_debug" if DEBUG else "" CSRF_COOKIE_NAME = "authentik_csrf" +CSRF_COOKIE_SAMESITE = None LANGUAGE_COOKIE_NAME = f"authentik_language{_cookie_suffix}" SESSION_COOKIE_NAME = f"authentik_session{_cookie_suffix}" SESSION_COOKIE_DOMAIN = CONFIG.y("cookie_domain", None) diff --git a/web/src/api/Config.ts b/web/src/api/Config.ts index 01568ae6d..5f45e404c 100644 --- a/web/src/api/Config.ts +++ b/web/src/api/Config.ts @@ -50,13 +50,27 @@ export function tenant(): Promise { return globalTenantPromise; } +let csrfToken = getCookie("authentik_csrf"); + +export class CSRFUpdaterMiddleware implements Middleware { + post?(context: ResponseContext): Promise { + const newCsrf = getCookie("authentik_csrf"); + if (newCsrf !== csrfToken) { + console.log("authentik/api: rotated CSRF token"); + csrfToken = newCsrf; + } + return Promise.resolve(context.response); + } +} + export const DEFAULT_CONFIG = new Configuration({ basePath: process.env.AK_API_BASE_PATH + "/api/v3", headers: { - "X-CSRFToken": getCookie("authentik_csrf"), + "X-CSRFToken": csrfToken, "sentry-trace": getMetaContent("sentry-trace") || "", }, middleware: [ + new CSRFUpdaterMiddleware(), new APIMiddleware(), new MessageMiddleware(), new LoggingMiddleware(),