root: rework CSRF middleware to set secure flag (#11753)

root: remove custom CSRF middleware Signed-off-by: Jens Langhammer <[email protected]>
goauthentik · Oct 23, 2024 · d3ebfca · d3ebfca
1 parent 3c0a8f4
commit d3ebfca
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 8 deletions.
diff --git a/authentik/core/urls.py b/authentik/core/urls.py
@@ -5,7 +5,6 @@
 from django.conf import settings
 from django.contrib.auth.decorators import login_required
 from django.urls import path
-from django.views.decorators.csrf import ensure_csrf_cookie
 
 from authentik.core.api.applications import ApplicationViewSet
 from authentik.core.api.authenticated_sessions import AuthenticatedSessionViewSet
@@ -44,19 +43,19 @@
     # Interfaces
     path(
         "if/admin/",
-        ensure_csrf_cookie(BrandDefaultRedirectView.as_view(template_name="if/admin.html")),
+        BrandDefaultRedirectView.as_view(template_name="if/admin.html"),
         name="if-admin",
     ),
     path(
         "if/user/",
-        ensure_csrf_cookie(BrandDefaultRedirectView.as_view(template_name="if/user.html")),
+        BrandDefaultRedirectView.as_view(template_name="if/user.html"),
         name="if-user",
     ),
     path(
         "if/flow/<slug:flow_slug>/",
         # FIXME: move this url to the flows app...also will cause all
         # of the reverse calls to be adjusted
-        ensure_csrf_cookie(FlowInterfaceView.as_view()),
+        FlowInterfaceView.as_view(),
         name="if-flow",
     ),
     # Fallback for WS

diff --git a/authentik/enterprise/providers/rac/urls.py b/authentik/enterprise/providers/rac/urls.py
@@ -3,7 +3,6 @@
 from channels.auth import AuthMiddleware
 from channels.sessions import CookieMiddleware
 from django.urls import path
-from django.views.decorators.csrf import ensure_csrf_cookie
 
 from authentik.enterprise.providers.rac.api.connection_tokens import ConnectionTokenViewSet
 from authentik.enterprise.providers.rac.api.endpoints import EndpointViewSet
@@ -19,12 +18,12 @@
 urlpatterns = [
     path(
         "application/rac/<slug:app>/<uuid:endpoint>/",
-        ensure_csrf_cookie(RACStartView.as_view()),
+        RACStartView.as_view(),
         name="start",
     ),
     path(
         "if/rac/<str:token>/",
-        ensure_csrf_cookie(RACInterface.as_view()),
+        RACInterface.as_view(),
         name="if-rac",
     ),
 ]

diff --git a/authentik/root/middleware.py b/authentik/root/middleware.py
@@ -41,7 +41,9 @@ def is_secure(request: HttpRequest) -> bool:
             # Since go does not consider localhost with http a secure origin
             # we can't set the secure flag.
             user_agent = request.META.get("HTTP_USER_AGENT", "")
-            if user_agent.startswith("goauthentik.io/outpost/") or "safari" in user_agent.lower():
+            if user_agent.startswith("goauthentik.io/outpost/") or (
+                "safari" in user_agent.lower() and "chrome" not in user_agent.lower()
+            ):
                 return False
             return True
         return False