(#827) configure cors, cross domain cookie options

apps/session/views.py

@@ -81,6 +81,7 @@ def user_login(request):
 def login_callback(request):
     state_before = request.session.get("sso_state", None)
     state = request.GET.get("state", None)
+    # TODO: server host 를 유지한채로 행해지는 모든 리디렉트 응답에 대해 새로운 리액트 앱 호스트를 사용한다
     if state_before is None or state_before != state:
         return HttpResponseRedirect("/error/invalid-login")
 

otlplus/settings.py

@@ -29,6 +29,17 @@
 
 ALLOWED_HOSTS = []
 
+CORS_ALLOW_CREDENTIALS = True
+CORS_ALLOW_ALL_ORIGINS = DEBUG
+CORS_ALLOWED_ORIGINS = [
+    "https://otl.kaist.ac.kr",
+]
+CSRF_TRUSTED_ORIGINS = [
+    "localhost:3000" if DEBUG else "otl.kaist.ac.kr",
+]
+
+SESSION_COOKIE_SAMESITE = None
+
 # Application definition
 
 INSTALLED_APPS = (
@@ -44,9 +55,11 @@
     "apps.review.appss.ReviewConfig",
     "apps.subject.appss.SubjectConfig",
     "apps.timetable.appss.TimetableConfig",
+    "corsheaders",
 )
 
 MIDDLEWARE = [
+    "corsheaders.middleware.CorsMiddleware",
     "django.middleware.security.SecurityMiddleware",
     "django.contrib.sessions.middleware.SessionMiddleware",
     "django.middleware.locale.LocaleMiddleware",