Samesite setting not being set on HttpOnly token delete

flavors / django-graphql-jwt

JSON Web Token (JWT) authentication for Graphene Django

https://django-graphql-jwt.domake.io

MIT License

820 stars 172 forks source link

Samesite setting not being set on HttpOnly token delete #288

Open aaonhub opened 3 years ago

aaonhub commented 3 years ago

sorry if there's some standard I'm not following it's my first github issue submission

I don't know why but getting the token works fine but trying to delete it ignores the samesite setting.

My django settings (I tried commenting out the samesite setting but nothing changed):

GRAPHQL_JWT = {
    "JWT_COOKIE_SECURE": True,
    "JWT_COOKIE_SAMESITE": "None",

    # optional
    "JWT_LONG_RUNNING_REFRESH_TOKEN": True,
}

My apollo client HttpLink:

 const link = new HttpLink({
    uri: 'http://127.0.0.1:8000/',
    credentials: 'include',
 });

Token mutation

Deleting token mutation

letops commented 3 years ago

Can confirm. This same thing is happening to me, the only difference is that I am not using the Long Running Refresh Tokens

aaonhub commented 3 years ago

I feel like this a pretty major bug. Is nobody else having this problem?

cadiente-jomel commented 2 years ago

@aaonhub I'm having the same problem, did you already solve the problem?

JamieOWilliams commented 2 years ago

It looks like the method used to delete cookies simply ignores the samesite setting.

https://github.com/flavors/django-graphql-jwt/blob/704f24e7ebbea0b81015ef3c1f4a302e9d432ecf/graphql_jwt/utils.py#L139-L144

After a quick test the following change works:

def delete_cookie(response, key):
    kwargs = {
        "path": jwt_settings.JWT_COOKIE_PATH,
        "domain": jwt_settings.JWT_COOKIE_DOMAIN,
    }
    if django.VERSION >= (2, 1):
        kwargs["samesite"] = jwt_settings.JWT_COOKIE_SAMESITE

    response.delete_cookie(key, **kwargs)