From 2f71c3c70eb23b1e232c80c4c5d8c1e1a6cd9893 Mon Sep 17 00:00:00 2001
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Mon, 23 Nov 2020 19:04:09 +0100
Subject: [PATCH] middleware: define setting for CSRF cookie SameSite value
 (#48767)

---
 hobo/middleware/cookies_samesite.py  | 4 +++-
 hobo/test_urls.py                    | 2 ++
 tests_multitenant/test_middleware.py | 9 +++++++++
 3 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/hobo/middleware/cookies_samesite.py b/hobo/middleware/cookies_samesite.py
index 4be4162..29042a0 100644
--- a/hobo/middleware/cookies_samesite.py
+++ b/hobo/middleware/cookies_samesite.py
@@ -27,7 +27,9 @@ class CookiesSameSiteFixMiddleware(MiddlewareMixin):
         # this can be removed once django 2.2 is used and settings.
         # CSRF_COOKIE_SAMESITE & SESSION_COOKIE_SAMESITE can be used.
         if settings.CSRF_COOKIE_NAME in response.cookies:
-            response.cookies[settings.CSRF_COOKIE_NAME]['samesite'] = 'None'
+            response.cookies[settings.CSRF_COOKIE_NAME]['samesite'] = (
+                getattr(settings, 'CSRF_COOKIE_SAMESITE', 'None').title()
+            )
         if settings.SESSION_COOKIE_NAME in response.cookies:
             response.cookies[settings.SESSION_COOKIE_NAME]['samesite'] = 'None'
         return response
diff --git a/hobo/test_urls.py b/hobo/test_urls.py
index d1f4635..7deb9ac 100644
--- a/hobo/test_urls.py
+++ b/hobo/test_urls.py
@@ -8,6 +8,8 @@ def helloworld(request):
     logging.getLogger(__name__).error('wat!')
     if 'raise' in request.GET:
         raise Exception('wat!')
+    request.META['CSRF_COOKIE_USED'] = True
+    request.META['CSRF_COOKIE'] = 'xxx'
     return HttpResponse('Hello world %s' % request.META['REMOTE_ADDR'])
 
 urlpatterns = [
diff --git a/tests_multitenant/test_middleware.py b/tests_multitenant/test_middleware.py
index bdc5a46..0badc92 100644
--- a/tests_multitenant/test_middleware.py
+++ b/tests_multitenant/test_middleware.py
@@ -30,3 +30,12 @@ def test_internalipmiddleware(app, tenants, settings):
     response = app.get('/?raise', status=500, extra_environ={'HTTP_HOST': tenants[0].domain_url})
     assert 'You\'re seeing this error because you have' in response.text
 
+
+def test_samesite_middleware(app, tenants, settings):
+    settings.ALLOWED_HOSTS = [tenants[0].domain_url]
+    response = app.get('/', extra_environ={'HTTP_HOST': tenants[0].domain_url})
+    assert 'SameSite=None' in str(response)
+    app.cookiejar.clear()
+    settings.CSRF_COOKIE_SAMESITE = 'lax'
+    response = app.get('/', extra_environ={'HTTP_HOST': tenants[0].domain_url})
+    assert 'SameSite=Lax' in str(response)
-- 
2.29.2