search

WillianFuks / djwto

JWT Authentication for Django
MIT License
21 stars 3 forks source link

Delete cookie needs same site settings #8

Closed hr-curtissimo closed 2 years ago

hr-curtissimo commented 2 years ago

When setting DJWTO_SAME_SITE to a value other than "Lax", the delete_cookie call in djwto/views.py#delete tries to delete the cookie without the same SAME SITE setting. This fails to remove the cookie in the browser.

I have a PR ready if you would like it.

WillianFuks commented 2 years ago

Hi @hr-curtissimo ,

Thanks for opening this issue. Not sure what's happening there, I just tested here deleting the cookies with various values for SAME_SITE attribute and the cookies were deleted as expected.

Do you have maybe some example of how you implemented the deletion call? What browser did you test? What code did you have to change in order to see it working?

Maybe it's some conflict happening somewhere due distinct environment setup but not sure either.

Best,

Will

hr-curtissimo commented 2 years ago

Hi, @WillianFuks! Thanks for getting back to me. I'm sorry about the long break between your response and this message. Here's a screenshot of the problem that I'm referring to.

problem-with-deleting-cookies

I pulled that screenshot from this example: https://gcurtissimo.gitlab.io/djwto-example/ (You may need to wait a moment for the back-end services to spin up in response to the button clicks.)

I hope that the instructions are clear enough for you to reproduce the error. I'll watch this thread more carefully in case you post a reply.

Here's a link to the diff of my changes, in case you want the pull request. https://github.com/WillianFuks/djwto/compare/master...hr-curtissimo:djwto:master

hr-curtissimo commented 2 years ago

Oh. I just realized I didn't answer one of your questions. I tested it on both Google Chrome and Mozilla Firefox.

WillianFuks commented 2 years ago

Hi @hr-curtissimo ,

Thanks for the return and information. I tried playing around with the example that you created but unfortunately it's not working for me. Regardless of how using it the /data api connection always gets refused; the logout option also didn't succeed in the same regard.

I played around with the idea and implemented a sandbox environment, similar to what you did, using vue instead of react (mainly because it's the only progressive js framework that I know ^^), you can check and test the newer code as well.

Bad news is that regardless of how setting the connections I couldn't recreate what you observed. Maybe if you see the connections I did you may find something?

Also could you please share the code you implemented for creating the demo? I'll try to find something different from my implementation and see if I can cause the same cookie setting block on my browser.

Best!

Will

WillianFuks commented 2 years ago

Hi @hr-curtissimo ,

Sorry for the delay! As you could see, your code has been merged into master now. Could you please confirm everything is working?

As you don't have an email I couldn't reference you into the commit. Do you have a no-reply email I could use?

Best!

Will

WillianFuks commented 2 years ago

Hi @hr-curtissimo ,

Just as a quick note, I just uploaded a new rc to pypi. You can test the new code just by installing the newer code:

pip install djwto==0.0.4rc0

Hope that helps, please let me know if it works for you!

Best,

Will