But I remember that I tried to allow all hosts to access the urls in the CORS settings and had the same issue, the browser was not storing the cookie, so the ajax wasn’t able to access the cookie jar containing the csrf and the sessionid.
The problem is, how to allow all the hosts on the backend to avoid the CORS issue
This settings file was the one I used:
from pathlib import Path
import pymysql
import os
BASE_DIR = Path(__file__).resolve().parent.parent
# SECURITY WARNING: keep the secret key used in production secret!
SECRET_KEY = 'django-insecure'
# SECURITY WARNING: don't run with debug turned on in production!
DEBUG = True
WILL_MIGRATE = False # to prepare migrations and deactivate apps native checking on startup
ALLOWED_HOSTS = [
'example.us',
'www.example.us',
'example-us.vercel.app',
'localhost',
'*'
]
CORS_ORIGIN_ALLOW_ALL = True
CORS_REPLACE_HTTPS_REFERER = True
CSRF_TRUSTED_ORIGINS = [
'https://localhost',
'https://example-us.vercel.app',
'https://example.us',
'https://www.example.us',
'https://www.example.us:40001',
'https://example.us:40001',
'https://0.0.0.0:40001',
]
CORS_ALLOW_HEADERS = [ "accept", "referer", "accept-encoding", "authorization", "content-type", "dnt", "origin", "user-agent", "x-csrftoken", "x-sessionid", "x-requested-with"]
CORS_EXPOSE_HEADERS = ['Set-Cookie']
"""
CORS_ALLOWED_HOSTS = [
'example.us',
'www.example.us',
'example-us.vercel.app',
'localhost'
]
CORS_ALLOWED_ORIGINS = [
'https://localhost',
'https://example-us.vercel.app',
'https://example.us',
'https://www.example.us',
'https://www.example.us:40001',
'https://example.us:40001',
'https://0.0.0.0:40001',
]
CORS_ALLOW_CREDENTIALS = True
CSRF_TRUSTED_ORIGINS = [
'localhost',
'www.example.us',
'example.us'
]
"""
"""
# old testing settings
CSRF_COOKIE_SECURE = True
ALLOWED_HOSTS = [
'example.us',
'www.example.us',
# 'www.example.us:40001',
'example-us.vercel.app'
]
CORS_ALLOWED_HOSTS = [
'example.us',
'www.example.us',
# 'www.example.us:40001',
'example-us.vercel.app'
]
CORS_ALLOW_CREDENTIALS = True
CORS_ALLOWED_ORIGINS = [
'https://127.0.0.1:3000',
'https://example-us.vercel.app',
'https://example.us',
'https://www.example.us',
'https://www.example.us:40001',
'https://example.us:40001'
]
CSRF_TRUSTED_ORIGINS = [
'example.us',
'www.example.us',
'vercel.app',
'example-us.vercel.app'
]
# SESSION_COOKIE_SAMESITE = "strict"
"""
"""
CORS_ALLOWED_HOSTS = [
'https://127.0.0.1:3000',
'https://example-us.vercel.app',
'example.us',
'www.example.us',
'www.example.us:40001'
]
CSRF_TRUSTED_ORIGINS = [
'https://127.0.0.1:3000',
'https://example-us.vercel.app',
'https://example.us/',
'http://example.us/',
'https://www.example.us/',
'http://www.example.us',
'https://www.example.us:40001',
'http://www.example.us:40001'
]
# CSRF_COOKIE_SAMESITE = None
CORS_ORIGIN_WHITELIST = (
'https://127.0.0.1:3000',
'https://example-us.vercel.app',
'https://example.us/',
'http://example.us/',
'https://www.example.us/',
'http://www.example.us',
'https://www.example.us:40001',
'http://www.example.us:40001'
)
CSRF_ALLOWED_ORIGINS = [
'https://127.0.0.1:3000',
'https://example-us.vercel.app',
'https://example.us/',
'http://example.us/',
'https://www.example.us/',
'http://www.example.us',
'https://www.example.us:40001',
'http://www.example.us:40001'
]
"""
# CORS_ALLOW_HEADERS = [ "accept", "referer", "accept-encoding", "authorization", "content-type", "dnt", "origin", "user-agent", "x-csrftoken", "x-requested-with", "csrfmiddlewaretoken"]
"""
CORS_ALLOWED_ORIGINS = [
"https://example.us:40001",
"https://www.example.us:40001",
"https://localhost:40001",
"https://127.0.0.1:40001",
"https://example-us.vercel.app"
]
"""
INSTALLED_APPS = [
'django.contrib.admin',
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.messages',
'django.contrib.staticfiles',
'blacklist',
"corsheaders",
'sslserver',
'logs',
# 'oauth',
# 'allauth',
# 'allauth.account',
# 'allauth.socialaccount',
# 'allauth.socialaccount.providers.google',
'system',
'cbapi',
'authentication',
'users',
'emailservice',
'userhelp',
'services',
'smsrequests',
'usertransactions',
'notifications',
'permissions',
'staff',
'reports',
'emt',
'sims',
'cryptogateway',
]
MIDDLEWARE = [
"webapi.middlewareForCookies.CustomHeaderMiddleware",
"corsheaders.middleware.CorsMiddleware",
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'blacklist.middleware.BlacklistMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
]
ROOT_URLCONF = 'webapi.urls'
TEMPLATES = [
{
'BACKEND': 'django.template.backends.django.DjangoTemplates',
'DIRS': [],
'APP_DIRS': True,
'OPTIONS': {
'context_processors': [
'django.template.context_processors.debug',
'django.template.context_processors.request',
'django.contrib.auth.context_processors.auth',
'django.contrib.messages.context_processors.messages',
],
},
},
]
WSGI_APPLICATION = 'webapi.wsgi.application'
# Database
# https://docs.djangoproject.com/en/3.2/ref/settings/#databases
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.mysql',
'NAME': 'pre_production_webapi',
'USER': 'pre_production_webapi',
'PASSWORD': 'pre_production_webapi',
'HOST': '127.0.0.1',
'PORT': '3306',
}
}
pymysql.version_info = (1, 4, 2, "final", 0)
pymysql.install_as_MySQLdb()
# Password validation
# https://docs.djangoproject.com/en/3.2/ref/settings/#auth-password-validators
AUTH_PASSWORD_VALIDATORS = [
{
'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
},
{
'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
},
{
'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator',
},
{
'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator',
},
]
# Internationalization
# https://docs.djangoproject.com/en/3.2/topics/i18n/
LANGUAGE_CODE = 'en-us'
TIME_ZONE = 'UTC'
USE_I18N = True
USE_L10N = True
USE_TZ = True
PROJECT_ROOT = os.path.dirname(os.path.abspath(__file__))
STATIC_URL = '/static/'
STATIC_ROOT = os.path.join(PROJECT_ROOT, 'static')
# Default primary key field type
# https://docs.djangoproject.com/en/3.2/ref/settings/#default-auto-field
DEFAULT_AUTO_FIELD = 'django.db.models.BigAutoField'
# extra apps settings
# time to wait to close the account
ACCOUNTS_CLOSING_GRACE_PERIOD = 2592000 # seconds, 2592000 = 30 days