Added JWT_COOKIE_SAMESITE setting

fbennets · Aug 2, 2020 · d26e9f8 · d26e9f8
1 parent bad4c3b
commit d26e9f8
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 9 deletions.
diff --git a/docs/settings.rst b/docs/settings.rst
@@ -305,6 +305,15 @@ JWT_COOKIE_DOMAIN
   Default: ``None``
 
 
+JWT_COOKIE_SAMESITE
+~~~~~~~~~~~~~~~~~~~
+
+  Use 'Strict' or 'Lax' to tell the browser not to send the JWT cookie when performing a cross-origin request
+  Use 'None' (string) to explicitly state that the JWT cookie is sent with all same-site and cross-site requests (Django ≥ 3.1 required)
+
+  Default: ``None``
+
+
 JWT_HIDE_TOKEN_FIELDS
 ~~~~~~~~~~~~~~~~~~~~~
 

diff --git a/graphql_jwt/settings.py b/graphql_jwt/settings.py
@@ -46,6 +46,7 @@
     'JWT_COOKIE_SECURE': False,
     'JWT_COOKIE_PATH': '/',
     'JWT_COOKIE_DOMAIN': None,
+    'JWT_COOKIE_SAMESITE': None,
 }
 
 IMPORT_STRINGS = (

diff --git a/graphql_jwt/utils.py b/graphql_jwt/utils.py
@@ -1,6 +1,7 @@
 from calendar import timegm
 from datetime import datetime
 
+import django
 from django.contrib.auth import get_user_model
 from django.utils.translation import gettext as _
 
@@ -120,15 +121,17 @@ def refresh_has_expired(orig_iat, context=None):
 
 
 def set_cookie(response, key, value, expires):
-    response.set_cookie(
-        key,
-        value,
-        expires=expires,
-        httponly=True,
-        secure=jwt_settings.JWT_COOKIE_SECURE,
-        path=jwt_settings.JWT_COOKIE_PATH,
-        domain=jwt_settings.JWT_COOKIE_DOMAIN,
-    )
+    kwargs = {
+        'expires': expires,
+        'httponly': True,
+        'secure': jwt_settings.JWT_COOKIE_SECURE,
+        'path': jwt_settings.JWT_COOKIE_PATH,
+        'domain': jwt_settings.JWT_COOKIE_DOMAIN,
+    }
+    if django.VERSION >= (2, 1):
+        kwargs['samesite'] = jwt_settings.JWT_COOKIE_SAMESITE
+
+    response.set_cookie(key, value, **kwargs)
 
 
 def delete_cookie(response, key):