Skip to content

Commit

Permalink
Adding optional support for setting the cookie domain for JWT auth to…
Browse files Browse the repository at this point in the history
…kens (#568)
  • Loading branch information
adrenaline681 authored Nov 15, 2023
1 parent de86fa9 commit c6b6530
Show file tree
Hide file tree
Showing 3 changed files with 15 additions and 2 deletions.
1 change: 1 addition & 0 deletions dj_rest_auth/app_settings.py
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@
'JWT_AUTH_SECURE': False,
'JWT_AUTH_HTTPONLY': True,
'JWT_AUTH_SAMESITE': 'Lax',
'JWT_AUTH_COOKIE_DOMAIN' : None,
'JWT_AUTH_RETURN_EXPIRATION': False,
'JWT_AUTH_COOKIE_USE_CSRF': False,
'JWT_AUTH_COOKIE_ENFORCE_CSRF_ON_UNAUTHENTICATED': False,
Expand Down
10 changes: 8 additions & 2 deletions dj_rest_auth/jwt_auth.py
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,8 @@ def set_jwt_access_cookie(response, access_token):
cookie_secure = api_settings.JWT_AUTH_SECURE
cookie_httponly = api_settings.JWT_AUTH_HTTPONLY
cookie_samesite = api_settings.JWT_AUTH_SAMESITE
cookie_domain = api_settings.JWT_AUTH_COOKIE_DOMAIN


if cookie_name:
response.set_cookie(
Expand All @@ -25,6 +27,7 @@ def set_jwt_access_cookie(response, access_token):
secure=cookie_secure,
httponly=cookie_httponly,
samesite=cookie_samesite,
domain=cookie_domain,
)


Expand All @@ -36,6 +39,7 @@ def set_jwt_refresh_cookie(response, refresh_token):
cookie_secure = api_settings.JWT_AUTH_SECURE
cookie_httponly = api_settings.JWT_AUTH_HTTPONLY
cookie_samesite = api_settings.JWT_AUTH_SAMESITE
cookie_domain = api_settings.JWT_AUTH_COOKIE_DOMAIN

if refresh_cookie_name:
response.set_cookie(
Expand All @@ -46,6 +50,7 @@ def set_jwt_refresh_cookie(response, refresh_token):
httponly=cookie_httponly,
samesite=cookie_samesite,
path=refresh_cookie_path,
domain=cookie_domain,
)


Expand All @@ -59,11 +64,12 @@ def unset_jwt_cookies(response):
refresh_cookie_name = api_settings.JWT_AUTH_REFRESH_COOKIE
refresh_cookie_path = api_settings.JWT_AUTH_REFRESH_COOKIE_PATH
cookie_samesite = api_settings.JWT_AUTH_SAMESITE
cookie_domain = api_settings.JWT_AUTH_COOKIE_DOMAIN

if cookie_name:
response.delete_cookie(cookie_name, samesite=cookie_samesite)
response.delete_cookie(cookie_name, samesite=cookie_samesite, domain=cookie_domain)
if refresh_cookie_name:
response.delete_cookie(refresh_cookie_name, path=refresh_cookie_path, samesite=cookie_samesite)
response.delete_cookie(refresh_cookie_name, path=refresh_cookie_path, samesite=cookie_samesite, domain=cookie_domain)


class CookieTokenRefreshSerializer(TokenRefreshSerializer):
Expand Down
6 changes: 6 additions & 0 deletions docs/configuration.rst
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ dj-rest-auth behaviour can be controlled by adjust settings in ``settings.py``:
'JWT_AUTH_SECURE': False,
'JWT_AUTH_HTTPONLY': True,
'JWT_AUTH_SAMESITE': 'Lax',
'JWT_AUTH_COOKIE_DOMAIN' : None,
'JWT_AUTH_RETURN_EXPIRATION': False,
'JWT_AUTH_COOKIE_USE_CSRF': False,
'JWT_AUTH_COOKIE_ENFORCE_CSRF_ON_UNAUTHENTICATED': False,
Expand Down Expand Up @@ -219,6 +220,11 @@ cookie. Default is ``True``.
To tell the browser not to send this cookie when performing a cross-origin
request. Default is ``'Lax'``. SameSite isn't supported by all browsers.

``JWT_AUTH_COOKIE_DOMAIN``
==========================
Sets the cookie domain for the ``access_token`` and ``refresh_token``. Default is ``None``.


``JWT_AUTH_RETURN_EXPIRATION``
==============================

Expand Down

0 comments on commit c6b6530

Please sign in to comment.