2.4.3: remove jwt authentication from csrf endpoint
robrap
released this
07 Nov 04:47
The main purpose of this commit is to remove the IsAuthenticated
permission from the /csrf/api/v1/token endpoint. The permission was
never needed, and doesn't allow the endpoint to be used to retrieve a
csrf token for use with an anonymous POST.
A temporary Django Setting was added to help with the roll-out:
- EDX_DRF_EXTENSIONS[ENABLE_ANONYMOUS_ACCESS_ROLLOUT]
This setting will help manage the rollout of CSRF protection.
Other minor fixes included:
- Updated README to clarify the purpose of the repo.
- Added testing of the existing csrf app to tox.
ARCH-1269