Merge branch '772-mention-csrf-trusted-origin-configuration-in-handbook' into 'master'

Automatically allow CORS from ALLOWED_HOSTS and dev servers Closes #772 See merge request !1142

Merge branch '772-mention-csrf-trusted-origin-configuration-in-handbook' into 'master'
94e83373 · Nik | Klampfradler · f379a367 · f485677b · 94e83373 · 94e83373
Commit 94e83373 authored 2 years ago by Nik | Klampfradler
--- a/aleksis/core/settings.py
+++ b/aleksis/core/settings.py
@@ -63,12 +63,23 @@ UWSGI = {
 UWSGI_SERVE_STATIC = True
 UWSGI_SERVE_MEDIA = False

+DEV_SERVER_PORT = 8000
+DJANGO_VITE_DEV_SERVER_PORT = DEV_SERVER_PORT+1
+
 ALLOWED_HOSTS = _settings.get("http.allowed_hosts", [getfqdn(), "localhost", "127.0.0.1", "[::1]"])
 BASE_URL = _settings.get(
-    "http.base_url", "http://localhost:8000" if DEBUG else f"https://{ALLOWED_HOSTS[0]}"
+    "http.base_url", f"http://localhost:{DEV_SERVER_PORT}" if DEBUG else f"//{ALLOWED_HOSTS[0]}"
 )

-CSRF_TRUSTED_ORIGINS = _settings.get("http.trusted_origins", [])
+def generate_trusted_origins():
+    origins = []
+    origins += [f"http://{host}" for host in ALLOWED_HOSTS]
+    origins += [f"https://{host}" for host in ALLOWED_HOSTS]
+    if DEBUG:
+        origins += [f"http://{host}:{DEV_SERVER_PORT}" for host in ALLOWED_HOSTS]
+        origins += [f"http://{host}:{DJANGO_VITE_DEV_SERVER_PORT}" for host in ALLOWED_HOSTS]
+    return origins
+CSRF_TRUSTED_ORIGINS = _settings.get("http.trusted_origins", generate_trusted_origins())

 # Application definition
 INSTALLED_APPS = [
@@ -601,7 +612,6 @@ JS_ROOT = _settings.get("js_assets.root", os.path.join(NODE_MODULES_ROOT, "node_

 DJANGO_VITE_ASSETS_PATH = os.path.join(NODE_MODULES_ROOT, "vite_bundles")
 DJANGO_VITE_DEV_MODE = DEBUG
-DJANGO_VITE_DEV_SERVER_PORT = 5173

 STATICFILES_DIRS = (
    DJANGO_VITE_ASSETS_PATH,

--- a/aleksis/core/util/frontend_helpers.py
+++ b/aleksis/core/util/frontend_helpers.py
@@ -25,6 +25,7 @@ def get_apps_with_frontend():
 def write_vite_values(out_path: str) -> dict[str, Any]:
    vite_values = {
        "static_url": settings.STATIC_URL,
+        "serverPort": settings.DJANGO_VITE_DEV_SERVER_PORT,
    }
    # Write rollup entrypoints for all apps
    vite_values["appDetails"] = {}

--- a/aleksis/core/vite.config.js
+++ b/aleksis/core/vite.config.js
@@ -139,7 +139,8 @@ export default defineConfig({
  },
  server: {
    strictPort: true,
-    origin: "http://localhost:5173",
+    port: django_values.serverPort,
+    origin: `http://localhost:${django_values.serverPort}`,
    watch: {
      ignored: [
        "**/*.py",