Merge pull request Tivix#94 from chrsz/feature/jwt_secure_samesite

Added other optionals settings variables to JWT cookie
scream4ik · Jun 20, 2020 · 9dbbef4 · 9dbbef4
2 parents b794265 + f05abda
commit 9dbbef4
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 2 deletions.
diff --git a/.gitignore b/.gitignore
@@ -107,4 +107,7 @@ venv.bak/
 # mypy
 .mypy_cache/
 demo/react-spa/node_modules/
-demo/react-spa/yarn.lock
+demo/react-spa/yarn.lock
+
+# Visual Studio Code
+.vscode/
diff --git a/dj_rest_auth/views.py b/dj_rest_auth/views.py
@@ -86,6 +86,9 @@ def get_response(self):
         response = Response(serializer.data, status=status.HTTP_200_OK)
         if getattr(settings, 'REST_USE_JWT', False):
             cookie_name = getattr(settings, 'JWT_AUTH_COOKIE', None)
+            cookie_secure = getattr(settings, 'JWT_AUTH_SECURE', False)
+            cookie_httponly = getattr(settings, 'JWT_AUTH_HTTPONLY', True)
+            cookie_samesite = getattr(settings, 'JWT_AUTH_SAMESITE', 'Lax')
             from rest_framework_simplejwt.settings import api_settings as jwt_settings
             if cookie_name:
                 from datetime import datetime
@@ -94,7 +97,9 @@ def get_response(self):
                     cookie_name,
                     self.access_token,
                     expires=expiration,
-                    httponly=True
+                    secure=cookie_secure,
+                    httponly=cookie_httponly,
+                    samesite=cookie_samesite
                 )
         return response
 

diff --git a/docs/configuration.rst b/docs/configuration.rst
@@ -48,6 +48,9 @@ Configuration
 
 - **REST_USE_JWT** - Enable JWT Authentication instead of Token/Session based. This is built on top of djangorestframework-simplejwt https://github.com/SimpleJWT/django-rest-framework-simplejwt, which must also be installed. (default: False)
 - **JWT_AUTH_COOKIE** - The cookie name/key.
+- **JWT_AUTH_SECURE** - If you want the cookie to be only sent to the server when a request is made with the https scheme (default: False).
+- **JWT_AUTH_HTTPONLY** - If you want to prevent client-side JavaScript from having access to the cookie (default: True).
+- **JWT_AUTH_SAMESITE** - To tell the browser not to send this cookie when performing a cross-origin request (default: 'Lax'). SameSite isn’t supported by all browsers.
 - **OLD_PASSWORD_FIELD_ENABLED** - set it to True if you want to have old password verification on password change enpoint (default: False)
 
 - **LOGOUT_ON_PASSWORD_CHANGE** - set to False if you want to keep the current user logged in after a password change