Adding optional support for setting the cookie domain for JWT auth to…

…kens (#568)
iMerica · Nov 15, 2023 · c6b6530 · c6b6530
1 parent de86fa9
commit c6b6530
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 2 deletions.
diff --git a/dj_rest_auth/app_settings.py b/dj_rest_auth/app_settings.py
@@ -35,6 +35,7 @@
     'JWT_AUTH_SECURE': False,
     'JWT_AUTH_HTTPONLY': True,
     'JWT_AUTH_SAMESITE': 'Lax',
+    'JWT_AUTH_COOKIE_DOMAIN' : None,
     'JWT_AUTH_RETURN_EXPIRATION': False,
     'JWT_AUTH_COOKIE_USE_CSRF': False,
     'JWT_AUTH_COOKIE_ENFORCE_CSRF_ON_UNAUTHENTICATED': False,

diff --git a/dj_rest_auth/jwt_auth.py b/dj_rest_auth/jwt_auth.py
@@ -16,6 +16,8 @@ def set_jwt_access_cookie(response, access_token):
     cookie_secure = api_settings.JWT_AUTH_SECURE
     cookie_httponly = api_settings.JWT_AUTH_HTTPONLY
     cookie_samesite = api_settings.JWT_AUTH_SAMESITE
+    cookie_domain = api_settings.JWT_AUTH_COOKIE_DOMAIN
+
 
     if cookie_name:
         response.set_cookie(
@@ -25,6 +27,7 @@ def set_jwt_access_cookie(response, access_token):
             secure=cookie_secure,
             httponly=cookie_httponly,
             samesite=cookie_samesite,
+            domain=cookie_domain,
         )
 
 
@@ -36,6 +39,7 @@ def set_jwt_refresh_cookie(response, refresh_token):
     cookie_secure = api_settings.JWT_AUTH_SECURE
     cookie_httponly = api_settings.JWT_AUTH_HTTPONLY
     cookie_samesite = api_settings.JWT_AUTH_SAMESITE
+    cookie_domain = api_settings.JWT_AUTH_COOKIE_DOMAIN
 
     if refresh_cookie_name:
         response.set_cookie(
@@ -46,6 +50,7 @@ def set_jwt_refresh_cookie(response, refresh_token):
             httponly=cookie_httponly,
             samesite=cookie_samesite,
             path=refresh_cookie_path,
+            domain=cookie_domain,
         )
 
 
@@ -59,11 +64,12 @@ def unset_jwt_cookies(response):
     refresh_cookie_name = api_settings.JWT_AUTH_REFRESH_COOKIE
     refresh_cookie_path = api_settings.JWT_AUTH_REFRESH_COOKIE_PATH
     cookie_samesite = api_settings.JWT_AUTH_SAMESITE
+    cookie_domain = api_settings.JWT_AUTH_COOKIE_DOMAIN
 
     if cookie_name:
-        response.delete_cookie(cookie_name, samesite=cookie_samesite)
+        response.delete_cookie(cookie_name, samesite=cookie_samesite, domain=cookie_domain)
     if refresh_cookie_name:
-        response.delete_cookie(refresh_cookie_name, path=refresh_cookie_path, samesite=cookie_samesite)
+        response.delete_cookie(refresh_cookie_name, path=refresh_cookie_path, samesite=cookie_samesite, domain=cookie_domain)
 
 
 class CookieTokenRefreshSerializer(TokenRefreshSerializer):

diff --git a/docs/configuration.rst b/docs/configuration.rst
@@ -39,6 +39,7 @@ dj-rest-auth behaviour can be controlled by adjust settings in ``settings.py``:
         'JWT_AUTH_SECURE': False,
         'JWT_AUTH_HTTPONLY': True,
         'JWT_AUTH_SAMESITE': 'Lax',
+        'JWT_AUTH_COOKIE_DOMAIN' : None,
         'JWT_AUTH_RETURN_EXPIRATION': False,
         'JWT_AUTH_COOKIE_USE_CSRF': False,
         'JWT_AUTH_COOKIE_ENFORCE_CSRF_ON_UNAUTHENTICATED': False,
@@ -219,6 +220,11 @@ cookie. Default is ``True``.
 To tell the browser not to send this cookie when performing a cross-origin
 request. Default is ``'Lax'``. SameSite isn't supported by all browsers.
 
+``JWT_AUTH_COOKIE_DOMAIN``
+==========================
+Sets the cookie domain for the ``access_token`` and ``refresh_token``. Default is ``None``.
+
+
 ``JWT_AUTH_RETURN_EXPIRATION``
 ==============================