From c6b6530eb0bfa5b10fd7b9e955a39301156e49d2 Mon Sep 17 00:00:00 2001 From: adrenaline681 Date: Tue, 14 Nov 2023 19:28:15 -0800 Subject: [PATCH] Adding optional support for setting the cookie domain for JWT auth tokens (#568) --- dj_rest_auth/app_settings.py | 1 + dj_rest_auth/jwt_auth.py | 10 ++++++++-- docs/configuration.rst | 6 ++++++ 3 files changed, 15 insertions(+), 2 deletions(-) diff --git a/dj_rest_auth/app_settings.py b/dj_rest_auth/app_settings.py index 949a2a63..d04f4b01 100644 --- a/dj_rest_auth/app_settings.py +++ b/dj_rest_auth/app_settings.py @@ -35,6 +35,7 @@ 'JWT_AUTH_SECURE': False, 'JWT_AUTH_HTTPONLY': True, 'JWT_AUTH_SAMESITE': 'Lax', + 'JWT_AUTH_COOKIE_DOMAIN' : None, 'JWT_AUTH_RETURN_EXPIRATION': False, 'JWT_AUTH_COOKIE_USE_CSRF': False, 'JWT_AUTH_COOKIE_ENFORCE_CSRF_ON_UNAUTHENTICATED': False, diff --git a/dj_rest_auth/jwt_auth.py b/dj_rest_auth/jwt_auth.py index 86fb4f03..6c98d62e 100644 --- a/dj_rest_auth/jwt_auth.py +++ b/dj_rest_auth/jwt_auth.py @@ -16,6 +16,8 @@ def set_jwt_access_cookie(response, access_token): cookie_secure = api_settings.JWT_AUTH_SECURE cookie_httponly = api_settings.JWT_AUTH_HTTPONLY cookie_samesite = api_settings.JWT_AUTH_SAMESITE + cookie_domain = api_settings.JWT_AUTH_COOKIE_DOMAIN + if cookie_name: response.set_cookie( @@ -25,6 +27,7 @@ def set_jwt_access_cookie(response, access_token): secure=cookie_secure, httponly=cookie_httponly, samesite=cookie_samesite, + domain=cookie_domain, ) @@ -36,6 +39,7 @@ def set_jwt_refresh_cookie(response, refresh_token): cookie_secure = api_settings.JWT_AUTH_SECURE cookie_httponly = api_settings.JWT_AUTH_HTTPONLY cookie_samesite = api_settings.JWT_AUTH_SAMESITE + cookie_domain = api_settings.JWT_AUTH_COOKIE_DOMAIN if refresh_cookie_name: response.set_cookie( @@ -46,6 +50,7 @@ def set_jwt_refresh_cookie(response, refresh_token): httponly=cookie_httponly, samesite=cookie_samesite, path=refresh_cookie_path, + domain=cookie_domain, ) @@ -59,11 +64,12 @@ def unset_jwt_cookies(response): refresh_cookie_name = api_settings.JWT_AUTH_REFRESH_COOKIE refresh_cookie_path = api_settings.JWT_AUTH_REFRESH_COOKIE_PATH cookie_samesite = api_settings.JWT_AUTH_SAMESITE + cookie_domain = api_settings.JWT_AUTH_COOKIE_DOMAIN if cookie_name: - response.delete_cookie(cookie_name, samesite=cookie_samesite) + response.delete_cookie(cookie_name, samesite=cookie_samesite, domain=cookie_domain) if refresh_cookie_name: - response.delete_cookie(refresh_cookie_name, path=refresh_cookie_path, samesite=cookie_samesite) + response.delete_cookie(refresh_cookie_name, path=refresh_cookie_path, samesite=cookie_samesite, domain=cookie_domain) class CookieTokenRefreshSerializer(TokenRefreshSerializer): diff --git a/docs/configuration.rst b/docs/configuration.rst index bff4a408..a86182f6 100644 --- a/docs/configuration.rst +++ b/docs/configuration.rst @@ -39,6 +39,7 @@ dj-rest-auth behaviour can be controlled by adjust settings in ``settings.py``: 'JWT_AUTH_SECURE': False, 'JWT_AUTH_HTTPONLY': True, 'JWT_AUTH_SAMESITE': 'Lax', + 'JWT_AUTH_COOKIE_DOMAIN' : None, 'JWT_AUTH_RETURN_EXPIRATION': False, 'JWT_AUTH_COOKIE_USE_CSRF': False, 'JWT_AUTH_COOKIE_ENFORCE_CSRF_ON_UNAUTHENTICATED': False, @@ -219,6 +220,11 @@ cookie. Default is ``True``. To tell the browser not to send this cookie when performing a cross-origin request. Default is ``'Lax'``. SameSite isn't supported by all browsers. +``JWT_AUTH_COOKIE_DOMAIN`` +========================== +Sets the cookie domain for the ``access_token`` and ``refresh_token``. Default is ``None``. + + ``JWT_AUTH_RETURN_EXPIRATION`` ==============================