Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Django csrf token #1525

Closed
smmoosavi opened this issue Feb 11, 2017 · 24 comments
Closed

Django csrf token #1525

smmoosavi opened this issue Feb 11, 2017 · 24 comments
Milestone

Comments

@smmoosavi
Copy link

How to I get django csrf token? Is there any way CRA proxy html pages from backend server like django. (I know already proxy works for api call)

@smmoosavi
Copy link
Author

or proxy every things except /static/*.

@gaearon
Copy link
Contributor

gaearon commented Feb 11, 2017

No, there is no built-in proxying for HTML pages.

You can, however, embed anything (e.g. a token) in your HTML page when you serve it.
Does an approach like this help?

@gaearon
Copy link
Contributor

gaearon commented Feb 11, 2017

I'm going to close since I provided a workaround—we don't directly integrate with Django so I don't think there is a better answer. Just treat CRA output as a static HTML/JS bundle (which it is), and think how you'd solve this problem with HTML and JS.

@gaearon gaearon closed this as completed Feb 11, 2017
@smmoosavi
Copy link
Author

Where I can specify __SERVER_DATA__ to use in CRA dev-server?

@gaearon
Copy link
Contributor

gaearon commented Feb 11, 2017

Oh, I thought you were referring to production.

Since CRA lets you create single-page apps, you should refer to documentation about CSRF in single-page apps.

Here is what I found about this topic: http://security.stackexchange.com/questions/36468/csrf-protection-and-single-page-apps.

Does it help?

@smmoosavi
Copy link
Author

I solve my problem:
solution 1: run my own proxy. you can see gist here

solution 2: open django served page directly and load css and js from CRA

<!-- localhost:8000 -->
<script src="http://localhost:3000"></script>

but in solution 2 hot reload not working. can I set hot reload url from /sock-js/... to http://localhost:3000/sock-js/...?

@gaearon
Copy link
Contributor

gaearon commented Feb 13, 2017

No, this is not possible without ejecting (it's just too hard to support so many possible configurations and ensure neither of them breaks with time).

@shangsunset
Copy link

shangsunset commented Feb 27, 2017

Hi, If I were to eject, what should be the best approach that doesnt use jQuery on dev server? I searched around but didnt find any intuitive solution that goes with CRA. Or how should I make Django to server index.html for development?

@gaearon
Copy link
Contributor

gaearon commented Feb 28, 2017

I'm not sure what this has to do with jquery.

CRA just produces a static HTML/JS/CSS bundle. It doesn't do anything special. You can serve it with Django exactly the same way you would serve any HTML page with it. Please refer to Django documentation or support groups for this.

@smmoosavi
Copy link
Author

I will create full example in few days.

@shangsunset
Copy link

@gaearon Thanks for your reply. The problem is that if I make Django render index.html and call bundled js file like this <script src="http://localhost:3000/static/js/bundle.js"></script> the browser wont auto refresh as @smmoosavi mentioned. Is there a way to make auto refresh work in this scenario?

@smmoosavi looking forward to your example.

@gaearon gaearon added this to the 1.0.0 milestone Feb 28, 2017
@gaearon gaearon reopened this Feb 28, 2017
@gaearon
Copy link
Contributor

gaearon commented Feb 28, 2017

Let's keep it open because it is likely this will keep coming up, and we want to have some sort of integration story.

@viankakrisna
Copy link
Contributor

Can't we just provide a watching development mode that writes to disk? I think it a lot easier for this kind of use case rather than hacking dev server to work with it. It's coming up quite often and I know what it feels to be ejecting and overwhelmed by the config just to integrate CRA with a backend on development.

A lot of times, we just want to include a script tag that bundles quickly...

quik/nwb may be better suited to this scenario, but I miss the polish and community of CRA when I'm using it. 😜

@gaearon
Copy link
Contributor

gaearon commented Mar 1, 2017

Yes, I think this is related to #1070.

@smmoosavi
Copy link
Author

djcra

Django ❤️ create-react-app integration example

https://github.com/smmoosavi/djcra

@smmoosavi
Copy link
Author

this example works in development and production, even with cdn server for static files.

@gaearon REACT_APP_PUBLIC_URL not working as I expect. can you help in problems section. should I append PUBLIC_URL manually?

import logo from './logo.svg';
console.log(logo); // "/static/media/logo.5d5d9eef.svg"
<img src={(process.env.REACT_APP_PUBLIC_URL || '') + logo} alt="logo" />

@gaearon
Copy link
Contributor

gaearon commented Mar 2, 2017

Maybe you meant process.env.PUBLIC_URL? REACT_APP_* is reserved for project-specific variables with no special meaning, but PUBLIC_URL is always provided.

@smmoosavi
Copy link
Author

Can we apply PUBLIC_URL in dev mode?

attachment:
code:

import logo from './logo.svg';
console.log(logo);
console.log(process.env.PUBLIC_URL);
console.log(process.env.REACT_APP_PUBLIC_URL);

npm start browser output:

"/static/media/logo.5d5d9eef.svg"
""
undefined

PUBLIC_URL=http://localhost:8080 npm start browser output:

"/static/media/logo.5d5d9eef.svg"
""
undefined

REACT_APP_PUBLIC_URL=http://localhost:8080 npm start browser output:

"/static/media/logo.5d5d9eef.svg"
""
"http://localhost:8080"

npm run build browser output:

"/static/media/logo.5d5d9eef.svg"
""
undefined

PUBLIC_URL=http://localhost:8080 npm run build browser output:

"http://localhost:8080/static/media/logo.5d5d9eef.svg"
"http://localhost:8080"
undefined

REACT_APP_PUBLIC_URL=http://localhost:8080 npm run build browser output:

"/static/media/logo.5d5d9eef.svg"
""
"http://localhost:8080"

@gaearon
Copy link
Contributor

gaearon commented Mar 2, 2017

Can we apply PUBLIC_URL in dev mode?

Yes, see #1582 for discussion.

@smmoosavi
Copy link
Author

coming in 0.10.0?

@smmoosavi
Copy link
Author

I test 0.10.0-alpha.328cb32e but I can't see any change.

code:

import logo from './logo.svg';
console.log(logo);
console.log(process.env.PUBLIC_URL);

command:

PUBLIC_URL=http://localhost:3000 npm run start

output:

"/static/media/logo.5d5d9eef.svg"
""

and hot reload ws (open localhost:8000 in browser.)

http://localhost:8000/sockjs-node/info?t=1490949621968

what I expect:

"http://localhost:3000/static/media/logo.5d5d9eef.svg"
"http://localhost:3000"

and hot reload ws be

http://localhost:3000/sockjs-node/info?t=1490949621968

is this ok? Did I miss somethings?

@Timer
Copy link
Contributor

Timer commented Mar 31, 2017

This is not yet released in a 0.10 alpha. Sorry. It might be in the next (or next next).

@smmoosavi
Copy link
Author

smmoosavi commented May 18, 2017

@gaearon can you keep in mind djcra problems when you review #1887.
txn

@gaearon
Copy link
Contributor

gaearon commented Jan 8, 2018

I'll close this as stale. If the issues are still relevant please file a more focused issue about specific problems and your proposed solutions.

@gaearon gaearon closed this as completed Jan 8, 2018
@lock lock bot locked and limited conversation to collaborators Jan 20, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

5 participants