CSRF Middleware

class smarter.lib.django.middleware.csrf.SmarterCsrfViewMiddleware(*args, **kwargs)[source]

Bases: CsrfViewMiddleware, SmarterRequestMixin

Middleware for enforcing CSRF (Cross-Site Request Forgery) protection with dynamic trusted origins.

This middleware extends Django’s built-in CSRF middleware to support dynamic addition of trusted origins, particularly for chatbot-related requests. It ensures that POST requests with a CSRF cookie require a valid csrfmiddlewaretoken, and it sets outgoing CSRF cookies as needed.

The middleware is designed to work seamlessly with the {% csrf_token %} template tag and provides additional logic for chatbot requests, health checks, and internal IP addresses. It also integrates with application logging and waffle switches for feature toggling.

Note that this middleware uses the admin user as a proxy for initializing the SmarterRequestMixin, which is used solely for purposes of determining if the request is for a ChatBot. The user object is stripped from the request before passing it downstream in the middleware chain.

Key Features

  • Dynamically adds chatbot URLs to the list of CSRF trusted origins.

  • Exempts chatbot requests from CSRF checks when appropriate.

  • Handles health check endpoints and internal IP addresses efficiently.

  • Provides detailed logging for CSRF-related events and decisions.

  • Integrates with Django’s CSRF protection and application-specific settings.

Note

  • Chatbot requests can be exempted from CSRF checks based on waffle switches.

  • Trusted origins are dynamically extended for chatbot and config requests.

  • Logging is controlled via a waffle switch and the application’s log level.

Example

To enable this middleware, add it to your Django project’s middleware settings:

MIDDLEWARE = [
    ...
    'smarter.lib.django.middleware.csrf.SmarterCsrfViewMiddleware',
    ...
]
Parameters:

request (django.http.HttpRequest) – The incoming HTTP request object.

Returns:

The HTTP response object, or None if the request is exempted from CSRF checks.

Return type:

django.http.HttpResponse or None

property CSRF_TRUSTED_ORIGINS: list[str]

Return the list of trusted origins for CSRF. If the request is for a ChatBot, the ChatBot’s URL is added to the list.

__init__(*args, **kwargs)[source]

Initialize the SmarterCsrfViewMiddleware.

We are not yet authenticated, which is fine. we use the admin user for any needed context. This is needed for evaluating whether or not this request is for a ChatBot.

allowed_origin_subdomains

A mapping of allowed schemes to list of allowed netlocs, where all subdomains of the netloc are allowed.

property formatted_class_name: str

Return the formatted class name for logging purposes.

process_request(request)[source]

Process the request to set up the CSRF protection. If the request is for a ChatBot, then we’ll exempt it from CSRF checks.

property ready: bool

Return whether the middleware is ready for use. The middleware is considered ready if it has been properly initialized with the admin user profile.