django-graphql-jwt icon indicating copy to clipboard operation
django-graphql-jwt copied to clipboard

Published 20 hours ago verified publisher icon flavors

Samesite setting not being set on HttpOnly token delete

Open aaonhub opened this issue 3 years ago • 4 comments

sorry if there's some standard I'm not following it's my first github issue submission

I don't know why but getting the token works fine but trying to delete it ignores the samesite setting.

My django settings (I tried commenting out the samesite setting but nothing changed):

GRAPHQL_JWT = {
    "JWT_COOKIE_SECURE": True,
    "JWT_COOKIE_SAMESITE": "None",

    # optional
    "JWT_LONG_RUNNING_REFRESH_TOKEN": True,
}

My apollo client HttpLink:

 const link = new HttpLink({
	uri: 'http://127.0.0.1:8000/',
	credentials: 'include',
 });

Token mutation

image

Deleting token mutation

image

aaonhub avatar Sep 08 '21 00:09 aaonhub

Can confirm. This same thing is happening to me, the only difference is that I am not using the Long Running Refresh Tokens

letops avatar Oct 11 '21 06:10 letops

I feel like this a pretty major bug. Is nobody else having this problem?

aaonhub avatar Nov 15 '21 22:11 aaonhub

@aaonhub I'm having the same problem, did you already solve the problem?

cadiente-jomel avatar Jan 13 '22 06:01 cadiente-jomel

It looks like the method used to delete cookies simply ignores the samesite setting.

https://github.com/flavors/django-graphql-jwt/blob/704f24e7ebbea0b81015ef3c1f4a302e9d432ecf/graphql_jwt/utils.py#L139-L144

After a quick test the following change works:

def delete_cookie(response, key):
    kwargs = {
        "path": jwt_settings.JWT_COOKIE_PATH,
        "domain": jwt_settings.JWT_COOKIE_DOMAIN,
    }
    if django.VERSION >= (2, 1):
        kwargs["samesite"] = jwt_settings.JWT_COOKIE_SAMESITE

    response.delete_cookie(key, **kwargs)

JamieOWilliams avatar Jan 14 '22 15:01 JamieOWilliams