Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

JWT_COOKIE_SAMESITE = 'None' not being respected

See original GitHub issue

Hi! I have installed version 0.3.1 as my pipenv update --outdated show: django-graphql-jwt: 0.3.1 installed, 0.3.1 required (Unpinned in Pipfile), 0.3.1 available.

And recently with the new change on Chrome policy regarding the cookies I saw that we needed to secure cookies when setting samesite none. More here

However, although I explicitly set this setting accordingly:

GRAPHQL_JWT = {
    'JWT_ALLOW_ARGUMENT': False,
    'JWT_HIDE_TOKEN_FIELDS': True,
    'JWT_VERIFY_EXPIRATION': True,
    'JWT_LONG_RUNNING_REFRESH_TOKEN': True,
    'JWT_EXPIRATION_DELTA': timedelta(minutes=15),
    'JWT_REFRESH_EXPIRATION_DELTA': timedelta(days=7),
    'JWT_COOKIE_SECURE': config('JWT_COOKIE_SECURE', cast=bool, default=True),
    'JWT_COOKIE_SAMESITE': 'None',
    'JWT_CSRF_ROTATION': True,
}

The cookie is being delivered secure but the SAMESITE property is delivered as Lax. I saw the PR #214, actually I had the latest version by that moment and I reinstall, check everything becuase of this new policy, and while Django settings regarding CSRF are working (on chrome I’m receiveng correct props), this one doesn’t

My Django settings that are working:

CSRF_COOKIE_SAMESITE = 'None'
CSRF_COOKIE_SECURE = config(
    'CSRF_COOKIE_SECURE', default=True, cast=bool)
SESSION_COOKIE_SAMESITE = 'None'
SESSION_COOKIE_SECURE = config(
    'SESSION_COOKIE_SECURE', default=True, cast=bool)

Issue Analytics

State:
Created 3 years ago
Reactions:4
Comments:7 (1 by maintainers)

Top GitHub Comments

6reactions

fbennetscommented, Dec 5, 2020

It’s really confusing that this feature is already part of the documentation but not implemented. @mongkok should I make a PR with a comment in the documentation? I guess that would be really helpful.

This version is still not available on PyPi, any advice on how I can work around this for now?

For me, the repo currently contains breaking changes. Therefore I forked the repo, rolled back to the code used for version 0.31 and just added the two lines (see here).

Feel free to use this modified version (just paste this into your requirements): git+git://github.com/open-decision/django-graphql-jwt@mod#egg=django-graphql-jwt

3reactions

deanpienaarcommented, Aug 17, 2020

👍 Yeah. Would really appreciate this feature being released.