...yet in the production environment PROD_HOST_NAME is only the origin, without a protocol. I'm going to try and refactor things so that I can use host-less value for ALLOWED_HOSTS but a host-inclusive value for CSRF_TRUSTED_ORIGINS and see if that won't fix the problem.
Something broke after I deployed #130 and deleting passkeys now raises HTTP 403 errors due to "CSRF verification failed."
I don't remember changing anything about Django or its knowledge of valid CSRF origins recently so I'm surprised to see log errors like this:
I note here in settings.py that
PROD_HOST_NAME
, "should include protocol"...https://github.com/duo-labs/webauthn.io/blob/master/_app/webauthnio/settings.py#L18-L19
...yet in the production environment
PROD_HOST_NAME
is only the origin, without a protocol. I'm going to try and refactor things so that I can use host-less value forALLOWED_HOSTS
but a host-inclusive value forCSRF_TRUSTED_ORIGINS
and see if that won't fix the problem.