-
-
Notifications
You must be signed in to change notification settings - Fork 239
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Do not check JWT_TOKEN_LOCATION when setting csrf value in a jwt
Previously, we would only include the csrf double submit value in a jwt if `JWT_COOKIE_CSRF_PROTECT` was true (the default) AND `JWT_TOKEN_LOCATION` was configured to use cookies. However, since we allow overwriting `locations` on a per-route basis instead of only globally for he whole application, we could create a situation where a single route was configured to use cookies when the rest of the app was not, and csrf checks were not happening against that endpoint. This change makes it so that any jwts will be encoded with a csrf value when `JWT_COOKIE_CSRF_PROTECT` is true, regardless of if the app is globally configured to use cookies. It will also verify the csrf double submit token on any route that uses cookies when `JWT_COOKIE_CSRF_PROTECT` is true, regardless of if that is set globally in the application or on an individual route. As a result of this change, you might notice that using jwts without cookies now include a csrf value. This will not change the behavior of non-jwt based endpoints at all, your jwts will just be a little bigger. You can remove that key from the jwt by explicitly setting `JWT_COOKIE_CSRF_PROTECT` to False, if you are not using cookies.
- Loading branch information
Showing
5 changed files
with
12 additions
and
18 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters