Move ensure_csrf_token docstring to README

and also bump version 3.2.0
QueraTeam · Jul 12, 2024 · 46a8888 · 46a8888
1 parent 255c287
commit 46a8888
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 12 deletions.
diff --git a/README.md b/README.md
@@ -277,10 +277,11 @@ The URL of Next.js server (started by `npm run dev` or `npm run start`)
 
 ### `ensure_csrf_token`
 
-If user does not have a CSRF token, ensure that one is generated and included in the initial request to the NextJS
-server, by calling Django's `django.middleware.csrf.get_token`.  If `django.middleware.csrf.CsrfViewMiddleware` is
-installed, the initial response will include a `Set-Cookie` header to persist the CSRF token value on the client.
-This behaviour is enabled by default.
+If the user does not have a CSRF token, ensure that one is generated and included in the initial request to the Next.js server by calling Django's `django.middleware.csrf.get_token`. If `django.middleware.csrf.CsrfViewMiddleware` is installed, the initial response will include a `Set-Cookie` header to persist the CSRF token value on the client. This behavior is enabled by default.
+
+#### When You Need to `ensure_csrf_token`?
+
+You may need to issue GraphQL POST requests to fetch data in Next.js `getServerSideProps`. If this is the user's first request, there will be no CSRF cookie, causing the request to fail since GraphQL uses POST even for data fetching. However, as long as `getServerSideProps` functions are side-effect free (i.e., they don't use HTTP unsafe methods or GraphQL mutations), this should be fine from a security perspective. Read more [here](https://docs.djangoproject.com/en/3.2/ref/csrf/#is-posting-an-arbitrary-csrf-token-pair-cookie-and-post-data-a-vulnerability).
 
 ## Development
 

diff --git a/django_nextjs/__init__.py b/django_nextjs/__init__.py
@@ -1 +1 @@
-__version__ = "3.1.0"
+__version__ = "3.2.0"
diff --git a/django_nextjs/render.py b/django_nextjs/render.py
@@ -40,13 +40,6 @@ def _get_render_context(html: str, extra_context: Union[Dict, None] = None):
 def _get_nextjs_request_cookies(request: HttpRequest):
     """
     Ensure we always send a CSRF cookie to Next.js server (if there is none in `request` object, generate one)
-    Reason: We are going to issue GraphQL POST requests to fetch data in NextJS getServerSideProps.
-            If this is the first request of user, there is no CSRF cookie and request fails,
-            since GraphQL uses POST even for data fetching.
-    Isn't this a vulnerability?
-    No, as long as getServerSideProps functions are side effect free
-    (i.e. dont use HTTP unsafe methods or GraphQL mutations).
-    https://docs.djangoproject.com/en/3.2/ref/csrf/#is-posting-an-arbitrary-csrf-token-pair-cookie-and-post-data-a-vulnerability
     """
     unreserved_cookies = {k: v for k, v in request.COOKIES.items() if k and not morsel.isReservedKey(k)}
     if ENSURE_CSRF_TOKEN is True and settings.CSRF_COOKIE_NAME not in unreserved_cookies: