Merge pull request #329 from openimis/feauture/OS-90

delcroip · web-flow · commit 3f1e8205a130 · 2025-03-06T16:41:07.000+01:00
OS-90: validating GraphQL Content-Type
diff --git a/openIMIS/openIMIS/settings/prod.py b/openIMIS/openIMIS/settings/prod.py
@@ -31,18 +31,6 @@
 USE_X_FORWARDED_HOST = BEHIND_PROXY
 SECURE_SSL_REDIRECT = not BEHIND_PROXY  # Only redirect if not behind a proxy
 
-# CSRF settings
-CSRF_COOKIE_SECURE = True
-SESSION_COOKIE_SECURE = True
-
-# CORS settings
-CORS_ALLOW_CREDENTIALS = True
-
-# Cookie settings
-SESSION_COOKIE_SAMESITE = 'Lax'  # or 'None' if cross-site
-CSRF_COOKIE_SAMESITE = 'Lax'  # or 'None' if cross-site
-CSRF_COOKIE_HTTPONLY = False  # False if you need to access it from JavaScript
-
 # HSTS settings (if using HTTPS)
 if 'https' in protos:
     SECURE_HSTS_SECONDS = 31536000  # 1 year
diff --git a/openIMIS/openIMIS/settings/security.py b/openIMIS/openIMIS/settings/security.py
@@ -89,8 +89,19 @@
 RATELIMIT_GROUP = os.getenv('RATELIMIT_GROUP', 'graphql')
 RATELIMIT_SKIP_TIMEOUT = os.getenv('RATELIMIT_SKIP_TIMEOUT', 'False')
 
-
-
+# CSRF settings
+CSRF_COOKIE_SECURE = True
+SESSION_COOKIE_SECURE = True
+# session cookie validity = 8 hours
+SESSION_COOKIE_AGE = 28800
+
+# CORS settings
+CORS_ALLOW_CREDENTIALS = True
+
+# Cookie settings
+SESSION_COOKIE_SAMESITE = 'Lax'  # or 'None' if cross-site
+CSRF_COOKIE_SAMESITE = 'Lax'  # or 'None' if cross-site
+CSRF_COOKIE_HTTPONLY = False  # False if you need to access it from JavaScript
 
 # Adjust other settings as needed for your specific application
 # ...
diff --git a/openIMIS/openIMIS/views.py b/openIMIS/openIMIS/views.py
@@ -1,5 +1,5 @@
 from django.db import connection, transaction
-from django.http import HttpResponseNotAllowed
+from django.http import HttpResponseNotAllowed, HttpResponse
 from django.http.response import HttpResponseBadRequest
 from .dataloaders import get_dataloaders
 from . import tracer
@@ -86,6 +86,11 @@ def parse_body(self, request):
     def execute_graphql_request(
         self, request, data, query, variables, operation_name, show_graphiql=False
     ):
+        if not request or getattr(request, "content_type", "") != "application/json":
+            raise HttpError(HttpResponse(
+                "Unsupported Media Type: The server only accepts application/json requests.",
+                status=415,
+            ))
         if not query:
             if show_graphiql:
                 return None
