Disable CSRF checks

2024-09-11 11:55:26 +03:00 · 2023-05-01 12:11:08 -07:00 · 2023-05-01 12:11:08 -07:00 · dacb9e9fa6
commit dacb9e9fa6
parent a1f0a85646
5 changed files with 18 additions and 22 deletions
--- a/frontend/src/services/api/ApiNativeClient/index.ts
+++ b/frontend/src/services/api/ApiNativeClient/index.ts
@ -13,13 +13,13 @@ class ApiNativeClient implements ApiClient {
    const robotToken = systemClient.getItem('robot_token');
    if (robotToken) {
      const sessionid = systemClient.getCookie('sessionid');
-      const csrftoken = systemClient.getCookie('csrftoken');
+      // const csrftoken = systemClient.getCookie('csrftoken');

      headers = {
        ...headers,
        ...{
-          'X-CSRFToken': csrftoken,
-          Cookie: `sessionid=${sessionid};csrftoken=${csrftoken}`,
+          // 'X-CSRFToken': csrftoken,
+          Cookie: `sessionid=${sessionid}`, // ;csrftoken=${csrftoken}
        },
      };
    }
--- a/frontend/src/services/api/ApiWebClient/index.ts
+++ b/frontend/src/services/api/ApiWebClient/index.ts
@ -5,7 +5,7 @@ class ApiWebClient implements ApiClient {
  private readonly getHeaders: () => HeadersInit = () => {
    return {
      'Content-Type': 'application/json',
-      'X-CSRFToken': systemClient.getCookie('csrftoken') || '',
+      // 'X-CSRFToken': systemClient.getCookie('csrftoken') || '',
    };
  };

--- a/mobile/App.tsx
+++ b/mobile/App.tsx
@ -1,4 +1,4 @@
-import React, { useEffect, useRef } from 'react';
+import React, { useRef } from 'react';
 import { WebView, WebViewMessageEvent } from 'react-native-webview';
 import { SafeAreaView, Text, Platform, Appearance } from 'react-native';
 import TorClient from './services/Tor';
@ -31,7 +31,7 @@ const App = () => {
    );
  };

-  const init = (reponseId: string) => {
+  const init = (responseId: string) => {
    const loadCookie = async (key: string) => {
      return await EncryptedStorage.getItem(key).then((value) => {
        if (value) {
@ -44,13 +44,13 @@ const App = () => {
    };

    EncryptedStorage.removeItem('sessionid');
-    EncryptedStorage.removeItem('csrftoken');
+    // EncryptedStorage.removeItem('csrftoken');
    loadCookie('robot_token');
    loadCookie('settings_fontsize_basic');
    loadCookie('settings_language');
    loadCookie('settings_mode');
    loadCookie('settings_network');
-    loadCookie('garage').then(() => injectMessageResolve(reponseId));
+    loadCookie('garage').then(() => injectMessageResolve(responseId));
  };

  const onCatch = (dataId: string, event: any) => {
--- a/robosats/middleware.py
+++ b/robosats/middleware.py
@ -0,0 +1,8 @@
+class DisableCSRFMiddleware(object):
+    def __init__(self, get_response):
+        self.get_response = get_response
+
+    def __call__(self, request):
+        setattr(request, "_dont_enforce_csrf_checks", True)
+        response = self.get_response(request)
+        return response
--- a/robosats/settings.py
+++ b/robosats/settings.py
@ -54,19 +54,6 @@ ALLOWED_HOSTS = [

 CORS_ALLOW_ALL_ORIGINS = True

-CSRF_TRUSTED_ORIGINS = [
-    f'http://{config("HOST_NAME")}',
-    f'http://{config("HOST_NAME2")}',
-    f'http://{config("I2P_ALIAS")}',
-    f'http://{config("I2P_LONG")}',
-    f'http://{config("LOCAL_ALIAS")}',
-    "http://localhost",
-    "http://*.onion",
-    "http://*",
-    "https://*.com",
-    "https://*",
-]
-
 # Allows Session Cookie to be read by Javascript on Client side.
 SESSION_COOKIE_HTTPONLY = False

@ -158,7 +145,8 @@ MIDDLEWARE = [
    "django.middleware.security.SecurityMiddleware",
    "django.contrib.sessions.middleware.SessionMiddleware",
    "django.middleware.common.CommonMiddleware",
-    "django.middleware.csrf.CsrfViewMiddleware",
+    # "django.middleware.csrf.CsrfViewMiddleware",
+    "robosats.middleware.DisableCSRFMiddleware",
    "django.contrib.auth.middleware.AuthenticationMiddleware",
    "django.contrib.messages.middleware.MessageMiddleware",
    "django.middleware.clickjacking.XFrameOptionsMiddleware",