From 5d266420e10c15c95906831561a074992dc8cf7e Mon Sep 17 00:00:00 2001
From: IRBorisov <8611739+IRBorisov@users.noreply.github.com>
Date: Mon, 18 Sep 2023 14:29:23 +0300
Subject: [PATCH] Fix CSRF

---
 rsconcept/backend/.env.prod           | 2 +-
 rsconcept/backend/project/settings.py | 7 ++++++-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/rsconcept/backend/.env.prod b/rsconcept/backend/.env.prod
index 7ef3b67a..90cedabd 100644
--- a/rsconcept/backend/.env.prod
+++ b/rsconcept/backend/.env.prod
@@ -4,7 +4,7 @@
 ALLOWED_HOSTS=portal.acconcept.ru;api.portal.acconcept.ru
 CSRF_TRUSTED_ORIGINS=https://portal.acconcept.ru;https://api.portal.acconcept.ru
 CORS_ALLOWED_ORIGINS=https://portal.acconcept.ru
-CSRF_COOKIE_DOMAIN=.acconcept.ru
+CSRF_COOKIE_DOMAIN=.portal.acconcept.ru
 
 
 # File locations
diff --git a/rsconcept/backend/project/settings.py b/rsconcept/backend/project/settings.py
index 5bd895fb..f6ee3343 100644
--- a/rsconcept/backend/project/settings.py
+++ b/rsconcept/backend/project/settings.py
@@ -68,7 +68,12 @@ REST_FRAMEWORK = {
 CORS_ALLOW_CREDENTIALS = True
 CORS_ALLOWED_ORIGINS = os.environ.get('CORS_ALLOWED_ORIGINS', 'http://localhost:3000').split(';')
 CSRF_TRUSTED_ORIGINS = os.environ.get('CSRF_TRUSTED_ORIGINS', 'http://localhost:3000').split(';')
-CSRF_COOKIE_DOMAIN = os.environ.get('CSRF_COOKIE_DOMAIN', 'localhost').split(';')
+
+_domain = os.environ.get('CSRF_COOKIE_DOMAIN', '')
+if _domain != '':
+    CSRF_COOKIE_DOMAIN = _domain
+    SESSION_COOKIE_DOMAIN = _domain
+
 # CSRF_HEADER_NAME = 'HTTP_X_CSRFTOKEN'