Merge pull request #190 from open-zaak/feature/oaf-68-csp-errors

🔧[maykinmedia/open-api-framework#68] fix CSP errors
open-zaak · Oct 1, 2024 · 7299417 · 7299417
2 parents 297b8e5 + 55d808d
commit 7299417
Show file tree

Hide file tree

Showing 8 changed files with 29 additions and 14 deletions.
diff --git a/deployment/single-server/vars/open-notificaties.example.yml b/deployment/single-server/vars/open-notificaties.example.yml
@@ -14,7 +14,6 @@ opennotificaties_db_username: open-notificaties
 opennotificaties_db_password: change-me
 
 # Used to provide cryptographic signing (tokens, cookies, etc.)
-# See: https://miniwebtool.com/django-secret-key-generator/
 opennotificaties_secret_key: 'generate-me'
 
 opennotificaties_replicas:

diff --git a/docs/installation/code/env b/docs/installation/code/env
@@ -1,5 +1,5 @@
 DJANGO_SETTINGS_MODULE=nrc.conf.production
-# generate one on https://www.miniwebtool.com/django-secret-key-generator/
+# generate one
 SECRET_KEY=replace-me-because-i-am-insecure
 ALLOWED_HOSTS=open-notificaties.gemeente.nl
 

diff --git a/docs/installation/configuration/env_config.rst b/docs/installation/configuration/env_config.rst
@@ -17,7 +17,7 @@ Available environment variables
 Required
 --------
 
-* ``SECRET_KEY``: Secret key that's used for certain cryptographic utilities. You should generate one via `miniwebtool <https://www.miniwebtool.com/django-secret-key-generator>`_.
+* ``SECRET_KEY``: Secret key that's used for certain cryptographic utilities. .
 * ``ALLOWED_HOSTS``: a comma separated (without spaces!) list of domains that serve the installation. Used to protect against Host header attacks. Defaults to: ``(empty string)``.
 * ``CACHE_DEFAULT``: redis cache address for the default cache (this **MUST** be set when using Docker). Defaults to: ``localhost:6379/0``.
 * ``CACHE_AXES``: redis cache address for the brute force login protection cache (this **MUST** be set when using Docker). Defaults to: ``localhost:6379/0``.
@@ -95,7 +95,7 @@ Optional
 * ``LOG_LEVEL``: control the verbosity of logging output. Available values are ``CRITICAL``, ``ERROR``, ``WARNING``, ``INFO`` and ``DEBUG``. Defaults to: ``WARNING``.
 * ``LOG_QUERIES``: enable (query) logging at the database backend level. Note that you must also set ``DEBUG=1``, which should be done very sparingly!. Defaults to: ``False``.
 * ``LOG_REQUESTS``: enable logging of the outgoing requests. Defaults to: ``False``.
-* ``SESSION_COOKIE_SAMESITE``: The value of the SameSite flag on the session cookie. This flag prevents the cookie from being sent in cross-site requests thus preventing CSRF attacks and making some methods of stealing session cookie impossible. Defaults to: ``Strict``.
+* ``SESSION_COOKIE_SAMESITE``: The value of the SameSite flag on the session cookie. This flag prevents the cookie from being sent in cross-site requests thus preventing CSRF attacks and making some methods of stealing session cookie impossible.Currently interferes with OIDC. Keep the value set at Lax if used. Defaults to: ``Lax``.
 * ``CSRF_COOKIE_SAMESITE``: The value of the SameSite flag on the CSRF cookie. This flag prevents the cookie from being sent in cross-site requests. Defaults to: ``Strict``.
 * ``ENVIRONMENT``: An identifier for the environment, displayed in the admin depending on the settings module used and included in the error monitoring (see ``SENTRY_DSN``). The default is set according to ``DJANGO_SETTINGS_MODULE``.
 * ``SUBPATH``: If hosted on a subpath, provide the value here. If you provide ``/gateway``, the component assumes its running at the base URL: ``https://somedomain/gateway/``. Defaults to an empty string. Defaults to: ``None``.

diff --git a/docs/installation/deployment/single_server.rst b/docs/installation/deployment/single_server.rst
@@ -120,7 +120,7 @@ Navigate to the correct deployment directory:
 
 Create the ``vars/open-notificaties.yml`` file - you can find an example in
 ``vars/open-notificaties.yml.example``. Generate a secret key using the
-`django secret key generator`_ and put the value between single
+django secret key generator and put the value between single
 quotes.
 
 Configure the host by creating the ``hosts`` file from the example:
@@ -282,8 +282,6 @@ The format of each replica is:
     name: opennotificaties-worker-i
 
 .. _docker hub: https://hub.docker.com/u/openzaak
-.. _django secret key generator: https://miniwebtool.com/django-secret-key-generator/
-
 .. _deployment_containers_updating:
 
 Updating an Open Notificaties installation

diff --git a/requirements/base.txt b/requirements/base.txt
@@ -98,6 +98,7 @@ django==4.2.15
     #   djangorestframework-inclusions
     #   drf-nested-routers
     #   drf-spectacular
+    #   drf-spectacular-sidecar
     #   drf-yasg
     #   maykin-2fa
     #   mozilla-django-oidc
@@ -178,8 +179,12 @@ djangorestframework-inclusions==1.2.0
     # via open-api-framework
 drf-nested-routers==0.94.1
     # via commonground-api-common
-drf-spectacular==0.27.2
-    # via open-api-framework
+drf-spectacular[sidecar]==0.27.2
+    # via
+    #   drf-spectacular
+    #   open-api-framework
+drf-spectacular-sidecar==2024.7.1
+    # via drf-spectacular
 drf-yasg==1.21.7
     # via commonground-api-common
 ecs-logging==2.2.0
@@ -237,7 +242,7 @@ mozilla-django-oidc-db==0.19.0
     # via open-api-framework
 notifications-api-common==0.2.2
     # via commonground-api-common
-open-api-framework==0.8.0
+open-api-framework==0.8.1
     # via -r requirements/base.in
 orderedmultidict==1.0.1
     # via furl

diff --git a/requirements/ci.txt b/requirements/ci.txt
@@ -143,6 +143,7 @@ django==4.2.15
     #   djangorestframework-inclusions
     #   drf-nested-routers
     #   drf-spectacular
+    #   drf-spectacular-sidecar
     #   drf-yasg
     #   maykin-2fa
     #   mozilla-django-oidc
@@ -275,10 +276,15 @@ drf-nested-routers==0.94.1
     # via
     #   -r requirements/base.txt
     #   commonground-api-common
-drf-spectacular==0.27.2
+drf-spectacular[sidecar]==0.27.2
     # via
     #   -r requirements/base.txt
+    #   drf-spectacular
     #   open-api-framework
+drf-spectacular-sidecar==2024.7.1
+    # via
+    #   -r requirements/base.txt
+    #   drf-spectacular
 drf-yasg==1.21.7
     # via
     #   -r requirements/base.txt
@@ -398,7 +404,7 @@ notifications-api-common==0.2.2
     # via
     #   -r requirements/base.txt
     #   commonground-api-common
-open-api-framework==0.8.0
+open-api-framework==0.8.1
     # via -r requirements/base.txt
 orderedmultidict==1.0.1
     # via

diff --git a/requirements/dev.txt b/requirements/dev.txt
@@ -160,6 +160,7 @@ django==4.2.15
     #   djangorestframework-inclusions
     #   drf-nested-routers
     #   drf-spectacular
+    #   drf-spectacular-sidecar
     #   drf-yasg
     #   maykin-2fa
     #   mozilla-django-oidc
@@ -302,10 +303,15 @@ drf-nested-routers==0.94.1
     # via
     #   -r requirements/ci.txt
     #   commonground-api-common
-drf-spectacular==0.27.2
+drf-spectacular[sidecar]==0.27.2
     # via
     #   -r requirements/ci.txt
+    #   drf-spectacular
     #   open-api-framework
+drf-spectacular-sidecar==2024.7.1
+    # via
+    #   -r requirements/ci.txt
+    #   drf-spectacular
 drf-yasg==1.21.7
     # via
     #   -r requirements/ci.txt
@@ -442,7 +448,7 @@ notifications-api-common==0.2.2
     # via
     #   -r requirements/ci.txt
     #   commonground-api-common
-open-api-framework==0.8.0
+open-api-framework==0.8.1
     # via -r requirements/ci.txt
 orderedmultidict==1.0.1
     # via

diff --git a/src/nrc/conf/includes/api.py b/src/nrc/conf/includes/api.py
@@ -20,6 +20,7 @@
 OPENNOTIFICATIES_API_CONTACT_URL = "https://www.maykinmedia.nl"
 
 SPECTACULAR_SETTINGS = {
+    "REDOC_DIST": "SIDECAR",
     "TITLE": "Open Notificaties API",
     "VERSION": API_VERSION,
     "DESCRIPTION": DESCRIPTION,