From 46a8888f75934e35a3ef499ef8257099624e0ca3 Mon Sep 17 00:00:00 2001 From: Danial Keimasi Date: Fri, 12 Jul 2024 17:58:28 +0330 Subject: [PATCH] Move ensure_csrf_token docstring to README and also bump version 3.2.0 --- README.md | 9 +++++---- django_nextjs/__init__.py | 2 +- django_nextjs/render.py | 7 ------- 3 files changed, 6 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index 320e58a..6a8bb1b 100644 --- a/README.md +++ b/README.md @@ -277,10 +277,11 @@ The URL of Next.js server (started by `npm run dev` or `npm run start`) ### `ensure_csrf_token` -If user does not have a CSRF token, ensure that one is generated and included in the initial request to the NextJS -server, by calling Django's `django.middleware.csrf.get_token`. If `django.middleware.csrf.CsrfViewMiddleware` is -installed, the initial response will include a `Set-Cookie` header to persist the CSRF token value on the client. -This behaviour is enabled by default. +If the user does not have a CSRF token, ensure that one is generated and included in the initial request to the Next.js server by calling Django's `django.middleware.csrf.get_token`. If `django.middleware.csrf.CsrfViewMiddleware` is installed, the initial response will include a `Set-Cookie` header to persist the CSRF token value on the client. This behavior is enabled by default. + +#### When You Need to `ensure_csrf_token`? + +You may need to issue GraphQL POST requests to fetch data in Next.js `getServerSideProps`. If this is the user's first request, there will be no CSRF cookie, causing the request to fail since GraphQL uses POST even for data fetching. However, as long as `getServerSideProps` functions are side-effect free (i.e., they don't use HTTP unsafe methods or GraphQL mutations), this should be fine from a security perspective. Read more [here](https://docs.djangoproject.com/en/3.2/ref/csrf/#is-posting-an-arbitrary-csrf-token-pair-cookie-and-post-data-a-vulnerability). ## Development diff --git a/django_nextjs/__init__.py b/django_nextjs/__init__.py index f5f41e5..1173108 100644 --- a/django_nextjs/__init__.py +++ b/django_nextjs/__init__.py @@ -1 +1 @@ -__version__ = "3.1.0" +__version__ = "3.2.0" diff --git a/django_nextjs/render.py b/django_nextjs/render.py index 028fd42..2b534c5 100644 --- a/django_nextjs/render.py +++ b/django_nextjs/render.py @@ -40,13 +40,6 @@ def _get_render_context(html: str, extra_context: Union[Dict, None] = None): def _get_nextjs_request_cookies(request: HttpRequest): """ Ensure we always send a CSRF cookie to Next.js server (if there is none in `request` object, generate one) - Reason: We are going to issue GraphQL POST requests to fetch data in NextJS getServerSideProps. - If this is the first request of user, there is no CSRF cookie and request fails, - since GraphQL uses POST even for data fetching. - Isn't this a vulnerability? - No, as long as getServerSideProps functions are side effect free - (i.e. dont use HTTP unsafe methods or GraphQL mutations). - https://docs.djangoproject.com/en/3.2/ref/csrf/#is-posting-an-arbitrary-csrf-token-pair-cookie-and-post-data-a-vulnerability """ unreserved_cookies = {k: v for k, v in request.COOKIES.items() if k and not morsel.isReservedKey(k)} if ENSURE_CSRF_TOKEN is True and settings.CSRF_COOKIE_NAME not in unreserved_cookies: