🔧[maykinmedia/open-api-framework#68] fix CSP errors

maykinmedia · Sep 27, 2024 · e047c40 · e047c40
1 parent b18da87
commit e047c40
Show file tree

Hide file tree

Showing 7 changed files with 43 additions and 13 deletions.
diff --git a/.github/workflows/oaf-check.yml b/.github/workflows/oaf-check.yml
@@ -0,0 +1,17 @@
+name: Check Open API Framework Version
+
+on:
+  push:
+    branches: [ "master" ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ "master" ]
+  schedule:
+    - cron: '32 10 * * 4'
+
+jobs:
+  run:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
diff --git a/docs/installation/config.rst b/docs/installation/config.rst
@@ -17,7 +17,7 @@ Available environment variables
 Required
 --------
 
-* ``SECRET_KEY``: Secret key that's used for certain cryptographic utilities. You should generate one via `miniwebtool <https://www.miniwebtool.com/django-secret-key-generator>`_.
+* ``SECRET_KEY``: Secret key that's used for certain cryptographic utilities. .
 * ``ALLOWED_HOSTS``: a comma separated (without spaces!) list of domains that serve the installation. Used to protect against Host header attacks. Defaults to: ``(empty string)``.
 * ``CACHE_DEFAULT``: redis cache address for the default cache (this **MUST** be set when using Docker). Defaults to: ``localhost:6379/0``.
 * ``CACHE_AXES``: redis cache address for the brute force login protection cache (this **MUST** be set when using Docker). Defaults to: ``localhost:6379/0``.
@@ -80,7 +80,7 @@ Optional
 * ``LOG_LEVEL``: control the verbosity of logging output. Available values are ``CRITICAL``, ``ERROR``, ``WARNING``, ``INFO`` and ``DEBUG``. Defaults to: ``WARNING``.
 * ``LOG_QUERIES``: enable (query) logging at the database backend level. Note that you must also set ``DEBUG=1``, which should be done very sparingly!. Defaults to: ``False``.
 * ``LOG_REQUESTS``: enable logging of the outgoing requests. Defaults to: ``False``.
-* ``SESSION_COOKIE_SAMESITE``: The value of the SameSite flag on the session cookie. This flag prevents the cookie from being sent in cross-site requests thus preventing CSRF attacks and making some methods of stealing session cookie impossible. Defaults to: ``Strict``.
+* ``SESSION_COOKIE_SAMESITE``: The value of the SameSite flag on the session cookie. This flag prevents the cookie from being sent in cross-site requests thus preventing CSRF attacks and making some methods of stealing session cookie impossible.Currently interferes with OIDC. Keep the value set at Lax if used. Defaults to: ``Lax``.
 * ``CSRF_COOKIE_SAMESITE``: The value of the SameSite flag on the CSRF cookie. This flag prevents the cookie from being sent in cross-site requests. Defaults to: ``Strict``.
 * ``ENVIRONMENT``: An identifier for the environment, displayed in the admin depending on the settings module used and included in the error monitoring (see ``SENTRY_DSN``). The default is set according to ``DJANGO_SETTINGS_MODULE``.
 * ``SUBPATH``: If hosted on a subpath, provide the value here. If you provide ``/gateway``, the component assumes its running at the base URL: ``https://somedomain/gateway/``. Defaults to an empty string. Defaults to: ``None``.

diff --git a/requirements/base.txt b/requirements/base.txt
@@ -97,6 +97,7 @@ django==4.2.15
     #   djangorestframework-inclusions
     #   drf-nested-routers
     #   drf-spectacular
+    #   drf-spectacular-sidecar
     #   drf-yasg
     #   maykin-2fa
     #   mozilla-django-oidc
@@ -177,8 +178,10 @@ djangorestframework-inclusions==1.2.0
     # via open-api-framework
 drf-nested-routers==0.94.1
     # via commonground-api-common
-drf-spectacular==0.27.2
+drf-spectacular[sidecar]==0.27.2
     # via open-api-framework
+drf-spectacular-sidecar==2024.7.1
+    # via drf-spectacular
 drf-yasg==1.21.7
     # via commonground-api-common
 ecs-logging==2.2.0
@@ -231,7 +234,7 @@ mozilla-django-oidc-db==0.19.0
     # via open-api-framework
 notifications-api-common==0.2.2
     # via commonground-api-common
-open-api-framework==0.8.0
+open-api-framework==0.8.1
     # via -r requirements/base.in
 orderedmultidict==1.0.1
     # via furl

diff --git a/requirements/ci.txt b/requirements/ci.txt
@@ -174,6 +174,7 @@ django==4.2.15
     #   djangorestframework-inclusions
     #   drf-nested-routers
     #   drf-spectacular
+    #   drf-spectacular-sidecar
     #   drf-yasg
     #   maykin-2fa
     #   mozilla-django-oidc
@@ -338,11 +339,16 @@ drf-nested-routers==0.94.1
     #   -c requirements/base.txt
     #   -r requirements/base.txt
     #   commonground-api-common
-drf-spectacular==0.27.2
+drf-spectacular[sidecar]==0.27.2
     # via
     #   -c requirements/base.txt
     #   -r requirements/base.txt
     #   open-api-framework
+drf-spectacular-sidecar==2024.7.1
+    # via
+    #   -c requirements/base.txt
+    #   -r requirements/base.txt
+    #   drf-spectacular
 drf-yasg==1.21.7
     # via
     #   -c requirements/base.txt
@@ -493,7 +499,7 @@ notifications-api-common==0.2.2
     #   -c requirements/base.txt
     #   -r requirements/base.txt
     #   commonground-api-common
-open-api-framework==0.8.0
+open-api-framework==0.8.1
     # via
     #   -c requirements/base.txt
     #   -r requirements/base.txt

diff --git a/requirements/dev.txt b/requirements/dev.txt
@@ -204,6 +204,7 @@ django==4.2.15
     #   djangorestframework-inclusions
     #   drf-nested-routers
     #   drf-spectacular
+    #   drf-spectacular-sidecar
     #   drf-yasg
     #   maykin-2fa
     #   mozilla-django-oidc
@@ -376,11 +377,16 @@ drf-nested-routers==0.94.1
     #   -c requirements/ci.txt
     #   -r requirements/ci.txt
     #   commonground-api-common
-drf-spectacular==0.27.2
+drf-spectacular[sidecar]==0.27.2
     # via
     #   -c requirements/ci.txt
     #   -r requirements/ci.txt
     #   open-api-framework
+drf-spectacular-sidecar==2024.7.1
+    # via
+    #   -c requirements/ci.txt
+    #   -r requirements/ci.txt
+    #   drf-spectacular
 drf-yasg==1.21.7
     # via
     #   -c requirements/ci.txt
@@ -562,7 +568,7 @@ notifications-api-common==0.2.2
     #   -c requirements/ci.txt
     #   -r requirements/ci.txt
     #   commonground-api-common
-open-api-framework==0.8.0
+open-api-framework==0.8.1
     # via
     #   -c requirements/ci.txt
     #   -r requirements/ci.txt

diff --git a/src/openklant/conf/api.py b/src/openklant/conf/api.py
@@ -17,6 +17,9 @@
 REST_FRAMEWORK["DEFAULT_SCHEMA_CLASS"] = "openklant.components.utils.schema.AutoSchema"
 
 SPECTACULAR_SETTINGS = {
+    "SWAGGER_UI_DIST": "SIDECAR",
+    "SWAGGER_UI_FAVICON_HREF": "SIDECAR",
+    "REDOC_DIST": "SIDECAR",
     "SERVE_INCLUDE_SCHEMA": False,
     "CAMELIZE_NAMES": True,
     "SCHEMA_PATH_PREFIX": r"/v[0-9]+",

diff --git a/src/openklant/conf/base.py b/src/openklant/conf/base.py
@@ -47,8 +47,3 @@
 # Django-Admin-Index
 #
 ADMIN_INDEX_SHOW_REMAINING_APPS_TO_SUPERUSERS = True
-
-CSP_EXCLUDE_URL_PREFIXES = (
-    "/contactgegevens/api/v1/schema/",
-    "/klantinteracties/api/v1/schema/",
-)