fix: Clean settings #108
fix: Clean settings #108
Conversation
There was a problem hiding this comment.
Reviewed 4 of 4 files at r1, all commit messages.
Reviewable status: all files reviewed, 4 unresolved discussions (waiting on @faucomte97)
codeforlife/settings/django.py line 64 at r1 (raw file):
SESSION_COOKIE_DOMAIN = "localhost" if DEBUG else "codeforlife.education" SECURE_CONTENT_TYPE_NOSNIFF = True
add a comment header for this group of settings and ref to the topic like the rest of the settings.
# Security
# https://docs.djangoproject.com/en/3.2/topics/security/codeforlife/settings/django.py line 68 at r1 (raw file):
SECURE_REFERRER_POLICY = "strict-origin-when-cross-origin" EMAIL_BACKEND = "django.core.mail.backends.console.EmailBackend"
not needed. we won't be using django's email backend.
codeforlife/settings/django.py line 69 at r1 (raw file):
EMAIL_BACKEND = "django.core.mail.backends.console.EmailBackend" CLOUD_STORAGE_PREFIX = "https://storage.googleapis.com/codeforlife-assets/"
What's this used for? let's discuss in a call
codeforlife/settings/django.py line 91 at r1 (raw file):
CSRF_COOKIE_NAME = f"{SERVICE_NAME}_csrftoken" CSRF_COOKIE_SAMESITE = "None" # TODO: Check if this breaks the auth system like it did on the old system
remove this TODO. This must be true. cookies should only be sent over HTTPS.
There was a problem hiding this comment.
Reviewable status: all files reviewed, 5 unresolved discussions (waiting on @faucomte97)
codeforlife/settings/django.py line 21 at r1 (raw file):
# Application definition MIDDLEWARE = [
why have we omitted "django.middleware.security.SecurityMiddleware"?
none of the SECURE_ settings will work
https://docs.djangoproject.com/en/3.2/ref/middleware/#django.middleware.security.SecurityMiddleware
There was a problem hiding this comment.
Reviewable status: all files reviewed, 6 unresolved discussions (waiting on @faucomte97)
codeforlife/settings/django.py line 27 at r1 (raw file):
"django.middleware.common.CommonMiddleware", "django.middleware.csrf.CsrfViewMiddleware", "django.contrib.messages.middleware.MessageMiddleware",
why do we need message middleware?
There was a problem hiding this comment.
Reviewable status: all files reviewed, 6 unresolved discussions (waiting on @SKairinos)
codeforlife/settings/django.py line 21 at r1 (raw file):
Previously, SKairinos (Stefan Kairinos) wrote…
why have we omitted "django.middleware.security.SecurityMiddleware"?
none of the SECURE_ settings will work
https://docs.djangoproject.com/en/3.2/ref/middleware/#django.middleware.security.SecurityMiddleware
The CustomSecurityMiddleware we have in the old system actually extends the base SecurityMiddleware and ensure a specific header is set to True - so I suppose we either want to do the same in the new system?
codeforlife/settings/django.py line 27 at r1 (raw file):
Previously, SKairinos (Stefan Kairinos) wrote…
why do we need message middleware?
Done.
codeforlife/settings/django.py line 64 at r1 (raw file):
Previously, SKairinos (Stefan Kairinos) wrote…
add a comment header for this group of settings and ref to the topic like the rest of the settings.
# Security # https://docs.djangoproject.com/en/3.2/topics/security/
Done.
codeforlife/settings/django.py line 68 at r1 (raw file):
Previously, SKairinos (Stefan Kairinos) wrote…
not needed. we won't be using django's email backend.
Done.
codeforlife/settings/django.py line 69 at r1 (raw file):
Previously, SKairinos (Stefan Kairinos) wrote…
What's this used for? let's discuss in a call
Used to point to our GCP bucket for any docs we have that we need to link to on the website (ie, club packs, impact report). Also some images and videos.
codeforlife/settings/django.py line 91 at r1 (raw file):
Previously, SKairinos (Stefan Kairinos) wrote…
remove this TODO. This must be true. cookies should only be sent over HTTPS.
No, this was part of our investigation into using sessions instead of cookies for CSRF.
If we still want to solve that issue we'll need to change it again.
https://docs.djangoproject.com/en/3.2/ref/settings/#csrf-cookie-secure
There was a problem hiding this comment.
Reviewed 4 of 4 files at r2, all commit messages.
Reviewable status: all files reviewed, 4 unresolved discussions (waiting on @faucomte97)
.github/workflows/main.yml line 1 at r2 (raw file):
name: Main
merge in main
codeforlife/settings/django.py line 69 at r1 (raw file):
Previously, faucomte97 (Florian Aucomte) wrote…
Used to point to our GCP bucket for any docs we have that we need to link to on the website (ie, club packs, impact report). Also some images and videos.
not needed on BE. should be a FE env var
codeforlife/settings/django.py line 91 at r1 (raw file):
Previously, faucomte97 (Florian Aucomte) wrote…
No, this was part of our investigation into using sessions instead of cookies for CSRF.
If we still want to solve that issue we'll need to change it again.https://docs.djangoproject.com/en/3.2/ref/settings/#csrf-cookie-secure
comment out and add TODO to check if needed.
and add comment CSRF_USE_SESSION=True
There was a problem hiding this comment.
add todo in auth/backends to make an admin backend
Reviewable status: all files reviewed, 4 unresolved discussions (waiting on @faucomte97)
There was a problem hiding this comment.
Done.
Reviewable status: 6 of 7 files reviewed, 5 unresolved discussions (waiting on @faucomte97 and @SKairinos)
.github/workflows/main.yml line 1 at r2 (raw file):
Previously, SKairinos (Stefan Kairinos) wrote…
merge in main
Done.
codeforlife/settings/django.py line 69 at r1 (raw file):
Previously, SKairinos (Stefan Kairinos) wrote…
not needed on BE. should be a FE env var
Leaving it for RR :(
codeforlife/settings/django.py line 76 at r1 (raw file):
LANGUAGE_CODE = "en-gb" LANGUAGES = [("en-gb", _("English"))] TIME_ZONE = "UTC"
@SKairinos This won't break anything right?
codeforlife/settings/django.py line 91 at r1 (raw file):
Previously, SKairinos (Stefan Kairinos) wrote…
comment out and add TODO to check if needed.
and add comment CSRF_USE_SESSION=True
Done.
There was a problem hiding this comment.
Reviewable status: 3 of 8 files reviewed, 6 unresolved discussions (waiting on @faucomte97 and @SKairinos)
codeforlife/settings/django.py line 86 at r3 (raw file):
# https://docs.djangoproject.com/en/3.2/ref/settings/#default-auto-field DEFAULT_AUTO_FIELD = "django.db.models.BigAutoField"
@SKairinos This is what is causing the pipeline to fail - it's requiring new migrations in all apps. Thoughts?
There was a problem hiding this comment.
Reviewable status: 3 of 8 files reviewed, 5 unresolved discussions (waiting on @faucomte97 and @SKairinos)
codeforlife/settings/django.py line 21 at r1 (raw file):
Previously, faucomte97 (Florian Aucomte) wrote…
The CustomSecurityMiddleware we have in the old system actually extends the base SecurityMiddleware and ensure a specific header is set to True - so I suppose we either want to do the same in the new system?
Done.
codeforlife/settings/django.py line 69 at r1 (raw file):
Previously, faucomte97 (Florian Aucomte) wrote…
Leaving it for RR :(
Removed - not needed by RR.
There was a problem hiding this comment.
Reviewed 4 of 5 files at r3, 1 of 1 files at r5, all commit messages.
Reviewable status: all files reviewed, 2 unresolved discussions (waiting on @faucomte97)
codeforlife/settings/django.py line 76 at r1 (raw file):
Previously, faucomte97 (Florian Aucomte) wrote…
@SKairinos This won't break anything right?
Not sure TBH. I've never changed TZ mid-project before
codeforlife/settings/django.py line 86 at r3 (raw file):
Previously, faucomte97 (Florian Aucomte) wrote…
@SKairinos This is what is causing the pipeline to fail - it's requiring new migrations in all apps. Thoughts?
We can just leave to AutoField for. Probably for the best as it's more memory efficient and we currently don't need so many rows
.github/workflows/main.yml line 18 at r3 (raw file):
with: # Cannot be set with an env var. Value must match in the release job. python-version: 3.8
please add the following below
codecov-slug: ocadotechnology/codeforlife-package-python
There was a problem hiding this comment.
Reviewable status: all files reviewed, 1 unresolved discussion (waiting on @SKairinos)
.github/workflows/main.yml line 18 at r3 (raw file):
Previously, SKairinos (Stefan Kairinos) wrote…
please add the following below
codecov-slug: ocadotechnology/codeforlife-package-python
Done.
There was a problem hiding this comment.
Reviewed 1 of 1 files at r6, all commit messages.
Reviewable status:complete! all files reviewed, all discussions resolved (waiting on @faucomte97)
This change is