Fixed #23: Replace https hack with header setting

2022-11-20 13:58:54 -07:00 · 2022-11-20 13:58:54 -07:00 · 70d01bf1b4
commit 70d01bf1b4
parent b4166f78bb
2 changed files with 1 additions and 18 deletions
--- a/core/middleware.py
+++ b/core/middleware.py
@ -1,21 +1,6 @@
 from core.models import Config


-class AlwaysSecureMiddleware:
-    """
-    Locks the request object as always being secure, for when it's behind
-    a HTTPS reverse proxy.
-    """
-
-    def __init__(self, get_response):
-        self.get_response = get_response
-
-    def __call__(self, request):
-        request.__class__.scheme = "https"
-        response = self.get_response(request)
-        return response
-
-
 class ConfigLoadingMiddleware:
    """
    Caches the system config every request
--- a/takahe/settings/development.py
+++ b/takahe/settings/development.py
@ -5,9 +5,6 @@ from .base import *  # noqa
 # Load secret key from environment with a fallback
 SECRET_KEY = os.environ.get("TAKAHE_SECRET_KEY", "insecure_secret")

-# Disable the CRSF origin protection
-MIDDLEWARE.insert(0, "core.middleware.AlwaysSecureMiddleware")
-
 # Ensure debug features are on
 DEBUG = True

@ -16,6 +13,7 @@ CSRF_TRUSTED_ORIGINS = [
    "http://127.0.0.1:8000",
    "https://127.0.0.1:8000",
 ]
+SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")

 EMAIL_BACKEND = "django.core.mail.backends.console.EmailBackend"
 SERVER_EMAIL = "test@example.com"