feat(base): build CSRF trusted origins from configuration

!20
2024-06-07 20:36:59 +09:30
parent 3b743a847c
commit d8d75c7db0
2 changed files with 21 additions and 2 deletions
--- a/app/app/settings.py
+++ b/app/app/settings.py
@ -33,11 +33,13 @@ SECRET_KEY = 'django-insecure-b*41-$afq0yl)1e#qpz^-nbt-opvjwb#avv++b9rfdxa@b55sk
 #
 # Defaults
 #
+ALLOWED_HOSTS = [ '*' ]          # Site host to serve
 DEBUG = False                    # SECURITY WARNING: don't run with debug turned on in production!
+SITE_URL = 'http://127.0.0.1'    # domain with HTTP method for the sites URL
 SSO_ENABLED = False              # Enable SSO
 SSO_LOGIN_ONLY_BACKEND = None    # Use specified SSO backend as the ONLY method to login. (builting login form will not be used)
+TRUSTED_ORIGINS = []             # list of trusted domains for CSRF

-ALLOWED_HOSTS = [ '*' ]


 # Application definition
@ -225,6 +227,9 @@ if API_ENABLED:

 DATETIME_FORMAT = 'j N Y H:i:s'

+#
+# Load user settings files
+#
 if os.path.isdir(SETTINGS_DIR):

    settings_files = os.path.join(SETTINGS_DIR, '*.py')
@ -237,6 +242,11 @@ AUTHENTICATION_BACKENDS = (
    'django.contrib.auth.backends.ModelBackend',
 )

+CSRF_TRUSTED_ORIGINS = [
+    SITE_URL,
+    *TRUSTED_ORIGINS
+]
+
 if DEBUG:
    INSTALLED_APPS += [
        'debug_toolbar',
--- a/docs/projects/django-template/configuration.md
+++ b/docs/projects/django-template/configuration.md
@ -9,6 +9,11 @@ about: https://gitlab.com/nofusscomputing/infrastructure/configuration-managemen
 This page details the configuration for setting up the application.


+## Config file
+
+Configuration for this application is stored within a python file `.py` in directory `/etc/istm/`. Any python file placed within this directory will be dynamically loaded at runtime. It's important to ensure that the file remains a valid python file. Failing to do so will prevent the application from restarting.
+
+
 ## Single Sign-On

 - `SSO_ENABLED`, boolean
@ -43,13 +48,17 @@ SOCIAL_AUTH_OIDC_SECRET = '<client secret>'
 ```


-## Available Settings
+## Available Configuration Settings

 Below are the available configuration values along with their default value.

 ``` py

+ALLOWED_HOSTS = [ '*' ]
 DEBUG = False                    # SECURITY WARNING: don't run with debug turned on in production!
+SITE_URL = 'http://127.0.0.1'    # domain with HTTP method for the URL to access the site
 SSO_ENABLED = False              # Enable SSO
+SSO_LOGIN_ONLY_BACKEND = None    # Use specified SSO backend as the ONLY method to login. (builting login form will not be used)
+TRUSTED_ORIGINS = []             # list of trusted domains for CSRF

 ```