The latest articles on DEV Community by Code With Beer (@codewithbeer). https://dev.to/codewithbeer https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F310900%2Ffe48d902-0ac9-4bc5-a3e8-83ede8f00512.png https://dev.to/codewithbeer en Code With Beer Sun, 03 Jul 2022 23:06:04 +0000 https://dev.to/codewithbeer/angularjs-django-with-csrfcookiehttponly-3a65 https://dev.to/codewithbeer/angularjs-django-with-csrfcookiehttponly-3a65 <p>In Django, if CSRF_COOKIE_HTTPONLY is enabled, javascript isn't allowed to access CSRF cookie, so it means they also can't get CSRF token inside the cookies. Here is how I handled Django authorization inside AngularJS.</p> <h2> Solution </h2> <p>I know developers are busy, so I will put the solution on the top of posts and explain detail after that.</p> <p>Following <a href="https://docs.djangoproject.com/en/4.0/ref/csrf/#acquiring-the-token-if-csrf-use-sessions-or-csrf-cookie-httponly-is-true">Django document</a>, AngularJS or any javascript could get the CSRF token from the DOM instead of cookie if cookie is http only.</p> <p><strong>Step 1</strong>: Put a tag in static html so Django middleware can put token to the HTML DOM.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code># Django put CSRF token to DOM {% csrf_token %} </code></pre> </div> <p><strong>Step 2</strong>: Implement an interceptor to get CSRF token from the DOM<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">Injectable</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@angular/core</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">HttpEvent</span><span class="p">,</span> <span class="nx">HttpRequest</span><span class="p">,</span> <span class="nx">HttpHandler</span><span class="p">,</span> <span class="nx">HttpInterceptor</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@angular/common/http</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Observable</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">rxjs</span><span class="dl">'</span><span class="p">;</span> <span class="p">@</span><span class="nd">Injectable</span><span class="p">()</span> <span class="k">export</span> <span class="kd">class</span> <span class="nx">DjangoCSRFInterceptor</span> <span class="kr">implements</span> <span class="nx">HttpInterceptor</span> <span class="p">{</span> <span class="nx">intercept</span><span class="p">(</span><span class="nx">httpRequest</span><span class="p">:</span> <span class="nx">HttpRequest</span><span class="o">&lt;</span><span class="nx">any</span><span class="o">&gt;</span><span class="p">,</span> <span class="nx">next</span><span class="p">:</span> <span class="nx">HttpHandler</span><span class="p">):</span> <span class="nx">Observable</span><span class="o">&lt;</span><span class="nx">HttpEvent</span><span class="o">&lt;</span><span class="nx">any</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="p">(</span> <span class="nb">document</span><span class="p">.</span><span class="nx">querySelector</span><span class="p">(</span><span class="dl">'</span><span class="s1">[name=csrfmiddlewaretoken]</span><span class="dl">'</span><span class="p">)</span> <span class="k">as</span> <span class="nx">HTMLInputElement</span> <span class="p">).</span><span class="nx">value</span><span class="p">;</span> <span class="k">return</span> <span class="nx">httpRequest</span><span class="p">.</span><span class="nx">clone</span><span class="p">({</span> <span class="na">headers</span><span class="p">:</span> <span class="nx">httpRequest</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="kd">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">X-CSRFToken, token) }); } } </span></code></pre> </div> <p><strong>Step 3</strong>: Put HttpInterceptor to your Angular module providers<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">providers</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">provide</span><span class="p">:</span> <span class="nx">HTTP_INTERCEPTORS</span><span class="p">,</span> <span class="na">useClass</span><span class="p">:</span> <span class="nx">DjangoCSRFInterceptor</span><span class="p">,</span> <span class="na">multi</span><span class="p">:</span> <span class="kc">true</span> <span class="p">}</span> <span class="p">]</span> </code></pre> </div> <p>Now your angular code should be able to get CSRF token and put in any request.</p> <h2> Django CSRF_COOKIE_HTTPONLY </h2> <p>CSRF_COOKIE_HTTPONLY is a flag that enables http only for CSRF cookie. Although http only is a best practice for security, Django foundation points that it doesn't offer any practical protection and encourage developer to turn this flag off.</p> <p>However, there are many reasons that force us to enable http only with CSRF cookie. One of the reasons in my case is my security auditor report that it is a risk and should be fixed.</p> <h2> What is Angular HttpInterceptor </h2> <p>In Angular, interceptor allows us to intercept a http request or response. By intercepting request/response, we can modify its context as we want.</p> <p>Ideally, we can implement an interceptor to add <code>X-CSRFToken</code> to headers. And Django will accept this request.</p> <h2> Conclusion </h2> <p>In conclusion, I would like to note that this post just a note of how I handled the angular request when CSRF_COOKIE_HTTPONLY is enable. In most of situation, we should leave this flag as default value (False). But if you have to enable it, hopefully this post can save your time.</p> <p>Happy sharing, happy Code with Beer🍺🍺🍺!!!</p> django angular security