Merge pull request #55 from OZ-01-Team3/feature/csrf

[Feature/csrf] csrf 검사 활성화

Author: Meoyoug

.gitignore

@@ -501,5 +501,7 @@ failed_files/
 config/settings/settings.py
 temp-action/
 #diagrams/
+ERD.md
+*.uml
 
 # End of https://www.toptal.com/developers/gitignore/api/python,django,pycharm,vim,visualstudiocode,venv,macos,windows

apps/chat/views.py

@@ -65,7 +65,7 @@ def post(self, request: Request) -> Response:
             borrower_id=request.user.id,
             lender_id=lender_id,
             lender_status=True,
-            borrower_status=True
+            borrower_status=True,
         ).exists():
             return Response({"msg": "이미 개설된 채팅방 내역이 존재합니다."}, status=status.HTTP_400_BAD_REQUEST)
         serializer = serializers.CreateChatroomSerializer(data=request.data)

apps/user/views.py

@@ -216,7 +216,9 @@ def get_profile(self, access_token: str, provider_info: dict[str, Any]) -> reque
             },
         )
 
-    def login_process_user(self, request: Request, profile_res_data: dict[str, Any], provider_info: dict[str, Any]) -> Response:
+    def login_process_user(
+        self, request: Request, profile_res_data: dict[str, Any], provider_info: dict[str, Any]
+    ) -> Response:
         # 각 provider의 프로필 데이터 처리 로직
         email = profile_res_data.get(provider_info["email_field"])
         nickname = profile_res_data.get(provider_info["nickname_field"])

config/settings/base.py

@@ -18,22 +18,9 @@
 # Build paths inside the project like this: BASE_DIR / 'subdir'.
 BASE_DIR = Path(__file__).resolve().parent.parent.parent
 
-# env = environ.Env(DEBUG=(bool, False))
-# environ.Env.read_env(env_file=os.path.join(BASE_DIR / "env-be", ".env"))
-# environ.Env.read_env(env_file=os.path.join(BASE_DIR, ".env"))
-
 # Quick-start development settings - unsuitable for production
 # See https://docs.djangoproject.com/en/5.0/howto/deployment/checklist/
 
-# SECURITY WARNING: keep the secret key used in production secret!
-# SECRET_KEY = env("DJANGO_SECRET_KEY")
-
-# SECURITY WARNING: don't run with debug turned on in production!
-# DEBUG = True
-
-# ALLOWED_HOSTS = []
-
-
 # Application definition
 
 DJANGO_SYSTEM_APPS = [
@@ -75,14 +62,14 @@
 INSTALLED_APPS = DJANGO_SYSTEM_APPS + CUSTOM_USER_APPS
 
 MIDDLEWARE = [
+    "corsheaders.middleware.CorsMiddleware",
     "django.middleware.security.SecurityMiddleware",
     "django.contrib.sessions.middleware.SessionMiddleware",
     "django.middleware.common.CommonMiddleware",
-    # "django.middleware.csrf.CsrfViewMiddleware",
+    "django.middleware.csrf.CsrfViewMiddleware",
     "django.contrib.auth.middleware.AuthenticationMiddleware",
     "django.contrib.messages.middleware.MessageMiddleware",
     "django.middleware.clickjacking.XFrameOptionsMiddleware",
-    "corsheaders.middleware.CorsMiddleware",
     "allauth.account.middleware.AccountMiddleware",
 ]
 
@@ -110,12 +97,6 @@
 ASGI_APPLICATION = "config.asgi.application"
 
 
-# Database
-# https://docs.djangoproject.com/en/5.0/ref/settings/#databases
-
-# DATABASES = {}
-
-
 # Password validation
 # https://docs.djangoproject.com/en/5.0/ref/settings/#auth-password-validators
 
@@ -160,11 +141,6 @@
 
 AUTH_USER_MODEL = "user.Account"
 
-# # cors 관련 설정
-# # CORS_ALLOWED_ORIGINS = env("CORS_ALLOWED_ORIGINS").split(",")
-# CORS_ORIGIN_ALLOW_ALL = True
-# CORS_ALLOW_CREDENTIALS = True
-
 # drf 관련 설정
 REST_FRAMEWORK = {
     "DEFAULT_SCHEMA_CLASS": "drf_spectacular.openapi.AutoSchema",
@@ -188,75 +164,7 @@
     "SERVE_INCLUDE_SCHEMA": False,
 }
 
-# # S3 관련 설정
-# STORAGES = {
-#     "default": {
-#         "BACKEND": "storages.backends.s3.S3Storage",
-#         "OPTIONS": {
-#             # "session_profile": env("AWS_S3_SESSION_PROFILE"),
-#             "access_key": env("AWS_ACCESS_KEY_ID"),
-#             "secret_key": env("AWS_SECRET_ACCESS_KEY"),
-#             "bucket_name": env("AWS_STORAGE_BUCKET_NAME"),
-#             # "default_acl": env("AWS_DEFAULT_ACL"),
-#             "region_name": env("AWS_S3_REGION_NAME"),
-#             "use_ssl": env("AWS_S3_USE_SSL"),
-#             "custom_domain": env("AWS_STORAGE_BUCKET_NAME") + ".s3.amazonaws.com",
-#             # "cloudfront_key": env("AWS_CLOUDFRONT_KEY"),
-#             # "cloudfront_key_id": env("AWS_CLOUDFRONT_KEY_ID")
-#         },
-#     },
-#     "staticfiles": {"BACKEND": "django.contrib.staticfiles.storage.StaticFilesStorage"},
-# }
-
-# STATICFILES_STORAGE = "django.contrib.staticfiles.storage.StaticFilesStorage"
-# DEFAULT_FILE_STORAGE = "django.core.files.storage.FileSystemStorage"
-# DEFAULT_FILE_STORAGE = "storages.backends.s3.S3Storage"
-# AWS_SESSION_PROFILE = env("AWS_S3_SESSION_PROFILE")
-# AWS_ACCESS_KEY_ID = env("AWS_ACCESS_KEY_ID")
-# AWS_SECRET_ACCESS_KEY = env("AWS_SECRET_ACCESS_KEY")
-# AWS_STORAGE_BUCKET_NAME = env("AWS_STORAGE_BUCKET_NAME")
-# AWS_REGION_NAME = env("AWS_S3_REGION_NAME")
-# AWS_S3_CUSTOM_DOMAIN = f"{AWS_STORAGE_BUCKET_NAME}.s3.amazonaws.com"
-# AWS_DEFAULT_ACL = env("AWS_DEFAULT_ACL")
-# AWS_QUERYSTRING_AUTH = False
-
-# # djangorestframework-simplejwt 관련 설정
-# SIMPLE_JWT = {
-#     "ACCESS_TOKEN_LIFETIME": timedelta(hours=1),  # default: minutes=5
-#     "REFRESH_TOKEN_LIFETIME": timedelta(days=7),  # default: days=1
-#     "ROTATE_REFRESH_TOKENS": False,
-#     "BLACKLIST_AFTER_ROTATION": False,
-#     "UPDATE_LAST_LOGIN": True,  # default: False
-#     "ALGORITHM": "HS256",
-#     # "SIGNING_KEY": SECRET_KEY,
-#     "VERIFYING_KEY": "",
-#     "AUDIENCE": None,
-#     "ISSUER": None,
-#     "JSON_ENCODER": None,
-#     "JWK_URL": None,
-#     "LEEWAY": 0,
-#     "AUTH_HEADER_TYPES": ("Bearer",),
-#     "AUTH_HEADER_NAME": "HTTP_AUTHORIZATION",
-#     "USER_ID_FIELD": "id",
-#     "USER_ID_CLAIM": "user_id",
-#     "USER_AUTHENTICATION_RULE": "rest_framework_simplejwt.authentication.default_user_authentication_rule",
-#     "AUTH_TOKEN_CLASSES": ("rest_framework_simplejwt.tokens.AccessToken",),
-#     "TOKEN_TYPE_CLAIM": "token_type",
-#     "TOKEN_USER_CLASS": "rest_framework_simplejwt.models.TokenUser",
-#     "JTI_CLAIM": "jti",
-#     "SLIDING_TOKEN_REFRESH_EXP_CLAIM": "refresh_exp",
-#     "SLIDING_TOKEN_LIFETIME": timedelta(minutes=5),
-#     "SLIDING_TOKEN_REFRESH_LIFETIME": timedelta(days=1),
-#     "TOKEN_OBTAIN_SERIALIZER": "rest_framework_simplejwt.serializers.TokenObtainPairSerializer",
-#     "TOKEN_REFRESH_SERIALIZER": "rest_framework_simplejwt.serializers.TokenRefreshSerializer",
-#     "TOKEN_VERIFY_SERIALIZER": "rest_framework_simplejwt.serializers.TokenVerifySerializer",
-#     "TOKEN_BLACKLIST_SERIALIZER": "rest_framework_simplejwt.serializers.TokenBlacklistSerializer",
-#     "SLIDING_TOKEN_OBTAIN_SERIALIZER": "rest_framework_simplejwt.serializers.TokenObtainSlidingSerializer",
-#     "SLIDING_TOKEN_REFRESH_SERIALIZER": "rest_framework_simplejwt.serializers.TokenRefreshSlidingSerializer",
-# }
-
 SITE_ID = 1
-# REST_USE_JWT = True  # TODO
 
 # django-allauth 관련 설정
 ACCOUNT_USER_MODEL_USERNAME_FIELD = None
@@ -271,18 +179,6 @@
 # ACCOUNT_EMAIL_CONFIRMATION_EXPIRE_DAYS = 1  # default 3
 # ACCOUNT_EMAIL_CONFIRMATION_AUTHENTICATED_REDIREDT_URL = None
 
-# # django 이메일 인증 설정
-# EMAIL_BACKEND = "django.core.mail.backends.smtp.EmailBackend"
-# EMAIL_HOST = env("EMAIL_HOST")  # 메일 호스트 서버
-# EMAIL_PORT = env("EMAIL_PORT")
-# EMAIL_HOST_USER = env("EMAIL_HOST_USER")  # 발신 이메일
-# EMAIL_HOST_PASSWORD = env("EMAIL_HOST_PASSWORD")
-# EMAIL_USE_TLS = True  # TLS 보안
-# EMAIL_USE_SSL = False  # TODO
-# DEFAULT_FROM_EMAIL = EMAIL_HOST_USER
-# # URL_FRONT = env("URL_FRONT")  # TODO 이건 어디서 나온 설정인지?
-# # EMAIL_CONFIRMATION_AUTHENTICATED_REDIREDT_URL = "/"
-
 # TODO
 # AUTHENTICATION_BACKENDS = [
 #     "django.contrib.auth.backends.ModelBackend",
@@ -309,8 +205,8 @@
     "LOGOUT_ON_PASSWORD_CHANGE": False,
     "SESSION_LOGIN": False,
     "USE_JWT": True,  # default: False
-    "JWT_AUTH_COOKIE": "adfdfd",  # default: None
-    "JWT_AUTH_REFRESH_COOKIE": "rfdfdf",  # default: None
+    "JWT_AUTH_COOKIE": None,  # default: None
+    "JWT_AUTH_REFRESH_COOKIE": None,  # default: None
     "JWT_AUTH_REFRESH_COOKIE_PATH": "/",
     "JWT_AUTH_SECURE": True,
     "JWT_AUTH_HTTPONLY": False,  # default: False

config/settings/local.py

@@ -60,10 +60,10 @@
 # csrf 관련 설정
 # CSRF_TRUSTED_ORIGINS = ["http://*", "https://*"]
 CSRF_TRUSTED_ORIGINS = env("ORIGINS").split(",")
-CSRF_COOKIE_SECURE = False
-SESSION_COOKIE_SECURE = False
-SESSION_COOKIE_SAMESITE = "Lax"
-CSRF_COOKIE_SAMESITE = "Lax"
+CSRF_COOKIE_SECURE = True
+SESSION_COOKIE_SECURE = True
+SESSION_COOKIE_SAMESITE = "None"
+CSRF_COOKIE_SAMESITE = "None"
 CSRF_COOKIE_HTTPONLY = False
 # SESSION_ENGINE = 'django.contrib.sessions.backends.signed_cookies'
 
@@ -133,7 +133,6 @@
 EMAIL_USE_TLS = True  # TLS 보안
 EMAIL_USE_SSL = False  # TODO
 DEFAULT_FROM_EMAIL = EMAIL_HOST_USER
-# URL_FRONT = env("URL_FRONT")  # TODO 이건 어디서 나온 설정인지?
 # EMAIL_CONFIRMATION_AUTHENTICATED_REDIREDT_URL = "/"
 
 
@@ -217,6 +216,7 @@
 EMAIL_CODE_TIMEOUT = env("EMAIL_CODE_TIMEOUT")
 DJANGO_SUPERUSER_EMAIL = env("DJANGO_SUPERUSER_EMAIL")
 DJANGO_SUPERUSER_PASSWORD = env("DJANGO_SUPERUSER_PASSWORD")
+
 KAKAO_REDIRECT_URI = env("KAKAO_REDIRECT_URI")
 KAKAO_CLIENT_ID = env("KAKAO_CLIENT_ID")
 KAKAO_CLIENT_SECRET = env("KAKAO_CLIENT_SECRET")

config/settings/prod.py

@@ -7,13 +7,12 @@
 
 from .base import *
 
-DEBUG = True
 ENV: dict[str, str] = literal_eval(get_secret())
 
 SECRET_KEY = ENV["DJANGO_SECRET_KEY"]
+DEBUG = True
 ALLOWED_HOSTS = ENV["ALLOWED_HOSTS"].split(",")
 
-
 DATABASES = {
     "default": {
         "ENGINE": ENV["DATABASE_ENGINE"],
@@ -30,6 +29,22 @@
 CORS_ORIGIN_ALLOW_ALL = True
 CORS_ALLOW_CREDENTIALS = True
 CORS_ORIGIN_WHITELIST = ENV["ORIGINS"].split(",")
+CORS_ALLOW_METHODS = (
+    "DELETE",
+    "GET",
+    "OPTIONS",
+    "PATCH",
+    "POST",
+    "PUT",
+)
+CORS_ALLOW_HEADERS = (
+    "accept",
+    "authorization",
+    "content-type",
+    "user-agent",
+    "x-csrftoken",
+    "x-requested-with",
+)
 
 # csrf 관련 설정
 # CSRF_TRUSTED_ORIGINS = ["http://*", "https://*"]
@@ -39,6 +54,7 @@
 SESSION_COOKIE_SAMESITE = "None"
 CSRF_COOKIE_SAMESITE = "None"
 CSRF_COOKIE_HTTPONLY = False
+CSRF_COOKIE_DOMAIN = ENV["DOMAIN"]
 
 
 CHANNEL_LAYERS = {
@@ -50,6 +66,17 @@
     },
 }
 
+CACHES = {
+    "default": {
+        "BACKEND": "django_redis.cache.RedisCache",
+        "LOCATION": f"redis://{ENV['REDIS_HOST']}:{ENV['REDIS_PORT']}/0",
+        "OPTIONS": {
+            "CLIENT_CLASS": "django_redis.client.DefaultClient",
+            "PASSWORD": ENV["CACHES_PASSWORD"],
+        },
+    }
+}
+
 # djangorestframework-simplejwt 관련 설정
 SIMPLE_JWT = {
     "ACCESS_TOKEN_LIFETIME": timedelta(days=1),  # default: minutes=5
@@ -120,17 +147,6 @@
     },
 }
 
-CACHES = {
-    "default": {
-        "BACKEND": "django_redis.cache.RedisCache",
-        "LOCATION": f"redis://{ENV['REDIS_HOST']}:{ENV['REDIS_PORT']}/0",
-        "OPTIONS": {
-            "CLIENT_CLASS": "django_redis.client.DefaultClient",
-            "PASSWORD": ENV["CACHES_PASSWORD"],
-        },
-    }
-}
-
 # django 이메일 인증 설정
 EMAIL_BACKEND = "django.core.mail.backends.smtp.EmailBackend"
 EMAIL_HOST = ENV["EMAIL_HOST"]  # 메일 호스트 서버
@@ -140,7 +156,6 @@
 EMAIL_USE_TLS = True  # TLS 보안
 EMAIL_USE_SSL = False  # TODO
 DEFAULT_FROM_EMAIL = EMAIL_HOST_USER
-# URL_FRONT = ENV["URL_FRONT"]  # TODO 이건 어디서 나온 설정인지?
 # EMAIL_CONFIRMATION_AUTHENTICATED_REDIREDT_URL = "/"
 
 sentry_sdk.init(
@@ -155,6 +170,7 @@
 EMAIL_CODE_TIMEOUT = ENV["EMAIL_CODE_TIMEOUT"]
 DJANGO_SUPERUSER_EMAIL = ENV["DJANGO_SUPERUSER_EMAIL"]
 DJANGO_SUPERUSER_PASSWORD = ENV["DJANGO_SUPERUSER_PASSWORD"]
+
 KAKAO_REDIRECT_URI = ENV["KAKAO_REDIRECT_URI"]
 KAKAO_CLIENT_ID = ENV["KAKAO_CLIENT_ID"]
 KAKAO_CLIENT_SECRET = ENV["KAKAO_CLIENT_SECRET"]