diff --git a/frontend/src/services/api/ApiNativeClient/index.ts b/frontend/src/services/api/ApiNativeClient/index.ts index 643deb25..30841b2f 100644 --- a/frontend/src/services/api/ApiNativeClient/index.ts +++ b/frontend/src/services/api/ApiNativeClient/index.ts @@ -13,13 +13,13 @@ class ApiNativeClient implements ApiClient { const robotToken = systemClient.getItem('robot_token'); if (robotToken) { const sessionid = systemClient.getCookie('sessionid'); - const csrftoken = systemClient.getCookie('csrftoken'); + // const csrftoken = systemClient.getCookie('csrftoken'); headers = { ...headers, ...{ - 'X-CSRFToken': csrftoken, - Cookie: `sessionid=${sessionid};csrftoken=${csrftoken}`, + // 'X-CSRFToken': csrftoken, + Cookie: `sessionid=${sessionid}`, // ;csrftoken=${csrftoken} }, }; } diff --git a/frontend/src/services/api/ApiWebClient/index.ts b/frontend/src/services/api/ApiWebClient/index.ts index 67ab3c06..a25187b2 100644 --- a/frontend/src/services/api/ApiWebClient/index.ts +++ b/frontend/src/services/api/ApiWebClient/index.ts @@ -5,7 +5,7 @@ class ApiWebClient implements ApiClient { private readonly getHeaders: () => HeadersInit = () => { return { 'Content-Type': 'application/json', - 'X-CSRFToken': systemClient.getCookie('csrftoken') || '', + // 'X-CSRFToken': systemClient.getCookie('csrftoken') || '', }; }; diff --git a/mobile/App.tsx b/mobile/App.tsx index 3d8f637b..f7aa1eb9 100644 --- a/mobile/App.tsx +++ b/mobile/App.tsx @@ -1,4 +1,4 @@ -import React, { useEffect, useRef } from 'react'; +import React, { useRef } from 'react'; import { WebView, WebViewMessageEvent } from 'react-native-webview'; import { SafeAreaView, Text, Platform, Appearance } from 'react-native'; import TorClient from './services/Tor'; @@ -31,7 +31,7 @@ const App = () => { ); }; - const init = (reponseId: string) => { + const init = (responseId: string) => { const loadCookie = async (key: string) => { return await EncryptedStorage.getItem(key).then((value) => { if (value) { @@ -44,13 +44,13 @@ const App = () => { }; EncryptedStorage.removeItem('sessionid'); - EncryptedStorage.removeItem('csrftoken'); + // EncryptedStorage.removeItem('csrftoken'); loadCookie('robot_token'); loadCookie('settings_fontsize_basic'); loadCookie('settings_language'); loadCookie('settings_mode'); loadCookie('settings_network'); - loadCookie('garage').then(() => injectMessageResolve(reponseId)); + loadCookie('garage').then(() => injectMessageResolve(responseId)); }; const onCatch = (dataId: string, event: any) => { diff --git a/robosats/middleware.py b/robosats/middleware.py new file mode 100644 index 00000000..fc76b11c --- /dev/null +++ b/robosats/middleware.py @@ -0,0 +1,8 @@ +class DisableCSRFMiddleware(object): + def __init__(self, get_response): + self.get_response = get_response + + def __call__(self, request): + setattr(request, "_dont_enforce_csrf_checks", True) + response = self.get_response(request) + return response diff --git a/robosats/settings.py b/robosats/settings.py index 08955cac..7ea68382 100644 --- a/robosats/settings.py +++ b/robosats/settings.py @@ -54,19 +54,6 @@ ALLOWED_HOSTS = [ CORS_ALLOW_ALL_ORIGINS = True -CSRF_TRUSTED_ORIGINS = [ - f'http://{config("HOST_NAME")}', - f'http://{config("HOST_NAME2")}', - f'http://{config("I2P_ALIAS")}', - f'http://{config("I2P_LONG")}', - f'http://{config("LOCAL_ALIAS")}', - "http://localhost", - "http://*.onion", - "http://*", - "https://*.com", - "https://*", -] - # Allows Session Cookie to be read by Javascript on Client side. SESSION_COOKIE_HTTPONLY = False @@ -158,7 +145,8 @@ MIDDLEWARE = [ "django.middleware.security.SecurityMiddleware", "django.contrib.sessions.middleware.SessionMiddleware", "django.middleware.common.CommonMiddleware", - "django.middleware.csrf.CsrfViewMiddleware", + # "django.middleware.csrf.CsrfViewMiddleware", + "robosats.middleware.DisableCSRFMiddleware", "django.contrib.auth.middleware.AuthenticationMiddleware", "django.contrib.messages.middleware.MessageMiddleware", "django.middleware.clickjacking.XFrameOptionsMiddleware",