b625e8e37e
This commit extends the workaround in `cors_csrf` middleware to Django Rest Framework's SessionAuthentication, which calls Django's CSRF middleware directly. The workaround checks the cross domain whitelist and skips the CSRF referer check for domains on the whitelist.
30 lines
1.3 KiB
Python
30 lines
1.3 KiB
Python
"""Django Rest Framework Authentication classes for cross-domain end-points."""
|
|
from rest_framework import authentication
|
|
from cors_csrf.helpers import is_cross_domain_request_allowed, skip_cross_domain_referer_check
|
|
|
|
|
|
class SessionAuthenticationCrossDomainCsrf(authentication.SessionAuthentication):
|
|
"""Session authentication that skips the referer check over secure connections.
|
|
|
|
Django Rest Framework's `SessionAuthentication` class calls Django's
|
|
CSRF middleware implementation directly, which bypasses the middleware
|
|
stack.
|
|
|
|
This version of `SessionAuthentication` performs the same workaround
|
|
as `CorsCSRFMiddleware` to skip the referer check for whitelisted
|
|
domains over a secure connection. See `cors_csrf.middleware` for
|
|
more information.
|
|
|
|
Since this subclass overrides only the `enforce_csrf()` method,
|
|
it can be mixed in with other `SessionAuthentication` subclasses.
|
|
|
|
"""
|
|
|
|
def enforce_csrf(self, request):
|
|
"""Skip the referer check if the cross-domain request is allowed. """
|
|
if is_cross_domain_request_allowed(request):
|
|
with skip_cross_domain_referer_check(request):
|
|
return super(SessionAuthenticationCrossDomainCsrf, self).enforce_csrf(request)
|
|
else:
|
|
return super(SessionAuthenticationCrossDomainCsrf, self).enforce_csrf(request)
|