flavors / django-graphql-jwt

sorry if there's some standard I'm not following it's my first github issue submission

I don't know why but getting the token works fine but trying to delete it ignores the samesite setting.

My django settings (I tried commenting out the samesite setting but nothing changed):

GRAPHQL_JWT = {
    "JWT_COOKIE_SECURE": True,
    "JWT_COOKIE_SAMESITE": "None",

    # optional
    "JWT_LONG_RUNNING_REFRESH_TOKEN": True,
}

My apollo client HttpLink:

 const link = new HttpLink({
	uri: 'http://127.0.0.1:8000/',
	credentials: 'include',
 });

Token mutation

Deleting token mutation

Can confirm. This same thing is happening to me, the only difference is that I am not using the Long Running Refresh Tokens

I feel like this a pretty major bug. Is nobody else having this problem?

@aaonhub I'm having the same problem, did you already solve the problem?

It looks like the method used to delete cookies simply ignores the samesite setting.

django-graphql-jwt/graphql_jwt/utils.py

Lines 139 to 144 in 704f24e

    
           def delete_cookie(response, key): 
        
               response.delete_cookie( 
        
                   key, 
        
                   path=jwt_settings.JWT_COOKIE_PATH, 
        
                   domain=jwt_settings.JWT_COOKIE_DOMAIN, 
        
               )

After a quick test the following change works:

def delete_cookie(response, key):
    kwargs = {
        "path": jwt_settings.JWT_COOKIE_PATH,
        "domain": jwt_settings.JWT_COOKIE_DOMAIN,
    }
    if django.VERSION >= (2, 1):
        kwargs["samesite"] = jwt_settings.JWT_COOKIE_SAMESITE

    response.delete_cookie(key, **kwargs)

	def delete_cookie(response, key):
	response.delete_cookie(
	key,
	path=jwt_settings.JWT_COOKIE_PATH,
	domain=jwt_settings.JWT_COOKIE_DOMAIN,
	)

Samesite setting not being set on HttpOnly token delete