Disable CSRF checks

frontend/src/services/api/ApiNativeClient/index.ts

@@ -13,13 +13,13 @@ class ApiNativeClient implements ApiClient {
     const robotToken = systemClient.getItem('robot_token');
     if (robotToken) {
       const sessionid = systemClient.getCookie('sessionid');
-      const csrftoken = systemClient.getCookie('csrftoken');
+      // const csrftoken = systemClient.getCookie('csrftoken');
 
       headers = {
         ...headers,
         ...{
-          'X-CSRFToken': csrftoken,
+          // 'X-CSRFToken': csrftoken,
-          Cookie: `sessionid=${sessionid};csrftoken=${csrftoken}`,
+          Cookie: `sessionid=${sessionid}`, // ;csrftoken=${csrftoken}
         },
       };
     }

frontend/src/services/api/ApiWebClient/index.ts

@@ -5,7 +5,7 @@ class ApiWebClient implements ApiClient {
   private readonly getHeaders: () => HeadersInit = () => {
     return {
       'Content-Type': 'application/json',
-      'X-CSRFToken': systemClient.getCookie('csrftoken') || '',
+      // 'X-CSRFToken': systemClient.getCookie('csrftoken') || '',
     };
   };
 

mobile/App.tsx

@@ -1,4 +1,4 @@
-import React, { useEffect, useRef } from 'react';
+import React, { useRef } from 'react';
 import { WebView, WebViewMessageEvent } from 'react-native-webview';
 import { SafeAreaView, Text, Platform, Appearance } from 'react-native';
 import TorClient from './services/Tor';
@@ -31,7 +31,7 @@ const App = () => {
     );
   };
 
-  const init = (reponseId: string) => {
+  const init = (responseId: string) => {
     const loadCookie = async (key: string) => {
       return await EncryptedStorage.getItem(key).then((value) => {
         if (value) {
@@ -44,13 +44,13 @@ const App = () => {
     };
 
     EncryptedStorage.removeItem('sessionid');
-    EncryptedStorage.removeItem('csrftoken');
+    // EncryptedStorage.removeItem('csrftoken');
     loadCookie('robot_token');
     loadCookie('settings_fontsize_basic');
     loadCookie('settings_language');
     loadCookie('settings_mode');
     loadCookie('settings_network');
-    loadCookie('garage').then(() => injectMessageResolve(reponseId));
+    loadCookie('garage').then(() => injectMessageResolve(responseId));
   };
 
   const onCatch = (dataId: string, event: any) => {

robosats/middleware.py

@@ -0,0 +1,8 @@
+class DisableCSRFMiddleware(object):
+    def __init__(self, get_response):
+        self.get_response = get_response
+
+    def __call__(self, request):
+        setattr(request, "_dont_enforce_csrf_checks", True)
+        response = self.get_response(request)
+        return response

robosats/settings.py

@@ -54,19 +54,6 @@ ALLOWED_HOSTS = [
 
 CORS_ALLOW_ALL_ORIGINS = True
 
-CSRF_TRUSTED_ORIGINS = [
-    f'http://{config("HOST_NAME")}',
-    f'http://{config("HOST_NAME2")}',
-    f'http://{config("I2P_ALIAS")}',
-    f'http://{config("I2P_LONG")}',
-    f'http://{config("LOCAL_ALIAS")}',
-    "http://localhost",
-    "http://*.onion",
-    "http://*",
-    "https://*.com",
-    "https://*",
-]
-
 # Allows Session Cookie to be read by Javascript on Client side.
 SESSION_COOKIE_HTTPONLY = False
 
@@ -158,7 +145,8 @@ MIDDLEWARE = [
     "django.middleware.security.SecurityMiddleware",
     "django.contrib.sessions.middleware.SessionMiddleware",
     "django.middleware.common.CommonMiddleware",
-    "django.middleware.csrf.CsrfViewMiddleware",
+    # "django.middleware.csrf.CsrfViewMiddleware",
+    "robosats.middleware.DisableCSRFMiddleware",
     "django.contrib.auth.middleware.AuthenticationMiddleware",
     "django.contrib.messages.middleware.MessageMiddleware",
     "django.middleware.clickjacking.XFrameOptionsMiddleware",