From d13ae7418eda5bbee52a75784818dc552768a5a4 Mon Sep 17 00:00:00 2001
From: Sergei Maertens <sergei@maykinmedia.nl>
Date: Thu, 4 Jul 2024 11:50:48 +0200
Subject: [PATCH] :whale: Fix proxy-setup with docker-compose

We need to rewrite the Host header when we make API calls to
localhost:8001 and localhost:8002 from the test suite, since the URLs
need to be resolvable from container-to-container.

However, the previous setup broke the local docker-compose setup for
login to the admin because the cookie domain is set to the internal
service names, so logging in was no longer possible due to a missing
csrftoken cookie (as we log in on localhost, not the internal
service names).

Only overwriting the Host header in /api/ subpaths is a pragmatic
approach that should solve this, since CSRF cookies are not used in
the API.

Furthermore, the browser sends an Oigin header of localhost:800x,
but this is different from the Host seen by Django due to the
proxy_pass directive, which also results in CSRF issues. The solution
is to enable X-Forwarded-Host header and calculate it in nginx, so
that it matches. For this match to happen, we also need to add the
port number and keep the mapped docker-compose port and nginx server
block ports in sync, since different ports lead to different origins.
---
 docker/docker-compose.objects-apis.yml             |  8 +++++---
 .../fixtures/objects_api_fixtures.json             |  9 +++++----
 docker/objects-apis/nginx.conf                     | 14 ++++++++++++--
 3 files changed, 22 insertions(+), 9 deletions(-)

diff --git a/docker/docker-compose.objects-apis.yml b/docker/docker-compose.objects-apis.yml
index 7b70919ec3..cf5defbef0 100644
--- a/docker/docker-compose.objects-apis.yml
+++ b/docker/docker-compose.objects-apis.yml
@@ -25,6 +25,7 @@ services:
       - DJANGO_SETTINGS_MODULE=objecttypes.conf.docker
       - SECRET_KEY=${SECRET_KEY:-fgv=c0hz&tl*8*3m3893@m+1pstrvidc9e^5@fpspmg%cy$15d}
       - ALLOWED_HOSTS=*
+      - USE_X_FORWARDED_HOST=true
       - DB_HOST=objects-objecttypes-db
       - DB_NAME=objecttypes
       - DB_USER=objecttypes
@@ -44,11 +45,12 @@ services:
       - open-forms-dev
 
   objects-web:
-    image: maykinmedia/objects-api:${OBJECTS_VERSION:-2.3.1}
+    image: maykinmedia/objects-api:${OBJECTS_VERSION:-2.3.2}
     environment: &objects_web_env
       - DJANGO_SETINGS_MODULE=objects.conf.docker
       - SECRET_KEY=${SECRET_KEY:-fgv=c0hz&tl*8*3m3893@m+1pstrvidc9e^5@fpspmg%cy$15d}
       - ALLOWED_HOSTS=*
+      - USE_X_FORWARDED_HOST=true
       - DB_HOST=objects-objecttypes-db
       - DB_NAME=objects
       - DB_USER=objects
@@ -86,8 +88,8 @@ services:
     volumes:
       - ./objects-apis/nginx.conf:/etc/nginx/conf.d/default.conf
     ports:
-      - '8001:80'
-      - '8002:81'
+      - '8001:8001'
+      - '8002:8002'
     depends_on:
       - objects-web
       - objecttypes-web
diff --git a/docker/objects-apis/fixtures/objects_api_fixtures.json b/docker/objects-apis/fixtures/objects_api_fixtures.json
index 3d786b068f..e8f9d043ff 100644
--- a/docker/objects-apis/fixtures/objects_api_fixtures.json
+++ b/docker/objects-apis/fixtures/objects_api_fixtures.json
@@ -28,8 +28,9 @@
 },
 {
     "model": "token.tokenauth",
-    "pk": "7657474c3d75f56ae0abd0d1bf7994b09964dca9",
+    "pk": 1,
     "fields": {
+        "token": "7657474c3d75f56ae0abd0d1bf7994b09964dca9",
         "contact_person": "Admin",
         "email": "admin@example.com",
         "organization": "",
@@ -43,7 +44,7 @@
     "model": "token.permission",
     "pk": 1,
     "fields": {
-        "token_auth": "7657474c3d75f56ae0abd0d1bf7994b09964dca9",
+        "token_auth": 1,
         "object_type": 1,
         "mode": "read_and_write",
         "use_fields": false,
@@ -54,7 +55,7 @@
     "model": "token.permission",
     "pk": 2,
     "fields": {
-        "token_auth": "7657474c3d75f56ae0abd0d1bf7994b09964dca9",
+        "token_auth": 1,
         "object_type": 2,
         "mode": "read_and_write",
         "use_fields": false,
@@ -65,7 +66,7 @@
     "model": "token.permission",
     "pk": 3,
     "fields": {
-        "token_auth": "7657474c3d75f56ae0abd0d1bf7994b09964dca9",
+        "token_auth": 1,
         "object_type": 3,
         "mode": "read_and_write",
         "use_fields": false,
diff --git a/docker/objects-apis/nginx.conf b/docker/objects-apis/nginx.conf
index 31dda1b821..69c9644a34 100644
--- a/docker/objects-apis/nginx.conf
+++ b/docker/objects-apis/nginx.conf
@@ -1,18 +1,28 @@
 server {
-    listen       80;
+    listen       8001;
     server_name  localhost;
 
     location / {
+        proxy_pass   http://objecttypes-web:8000;
+        proxy_set_header X-Forwarded-Host $host:$server_port;
+    }
+
+    location /api/ {
         proxy_pass   http://objecttypes-web:8000;
         proxy_set_header Host objecttypes-web:8000;
     }
 }
 
 server {
-    listen       81;
+    listen       8002;
     server_name  localhost;
 
     location / {
+        proxy_pass   http://objects-web:8000;
+        proxy_set_header X-Forwarded-Host $host:$server_port;
+    }
+
+    location /api/ {
         proxy_pass   http://objects-web:8000;
         proxy_set_header Host objects-web:8000;
     }