perf: allow csrf check to *

apps/jumpserver/middleware.py

@@ -10,6 +10,7 @@ import pytz
 from django.conf import settings
 from django.core.exceptions import MiddlewareNotUsed
 from django.db.utils import OperationalError
+from django.middleware.csrf import CsrfViewMiddleware
 from django.http.response import HttpResponseForbidden, JsonResponse
 from django.shortcuts import HttpResponse
 from django.shortcuts import redirect
@@ -19,6 +20,7 @@ from rest_framework import status
 
 from .utils import set_current_request
 
+IGNORE_CSRF_CHECK = '*' in os.getenv("DOMAINS", "").split(',')
 
 class TimezoneMiddleware:
     def __init__(self, get_response):
@@ -191,3 +193,10 @@ class SafeRedirectMiddleware:
             host, port = netloc.split(':', 1)
             return host, port
         return netloc, '80'
+
+
+class CsrfCheckMiddleware(CsrfViewMiddleware):
+    def _origin_verified(self, request):
+        if IGNORE_CSRF_CHECK:
+            return True
+        return super()._origin_verified(request)

apps/jumpserver/settings/base.py

@@ -92,6 +92,9 @@ ALLOWED_HOSTS = ['*']
 # https://docs.djangoproject.com/en/4.1/ref/settings/#std-setting-CSRF_TRUSTED_ORIGINS
 CSRF_TRUSTED_ORIGINS = []
 for host_port in ALLOWED_DOMAINS:
+    if '*' in ALLOWED_DOMAINS:
+        CSRF_TRUSTED_ORIGINS = ['http://*', 'https://*']
+        break
     origin = host_port.strip('.')
 
     if not origin:
@@ -167,7 +170,8 @@ MIDDLEWARE = [
     'django.middleware.locale.LocaleMiddleware',
     'corsheaders.middleware.CorsMiddleware',
     'django.middleware.common.CommonMiddleware',
-    'django.middleware.csrf.CsrfViewMiddleware',
+    # 'django.middleware.csrf.CsrfViewMiddleware',
+    'jumpserver.middleware.CsrfCheckMiddleware',
     'django.contrib.auth.middleware.AuthenticationMiddleware',
     'django.contrib.messages.middleware.MessageMiddleware',
     'django.middleware.clickjacking.XFrameOptionsMiddleware',