Incompatible with CSRF_USE_SESSIONS = True

[nijel]

The client code fetches CSRF token from the cookie, but this is not available with CSRF_USE_SESSIONS = True. We ended up using that as the outcome of some security audits. I don't think it's more secure and Django documentation agrees, but storing CSRF token in a cookie is a red flag for some audits.

Would it be possible to let it extract it from the HTML page in this case?

We make sure that the input is always present (<input type="hidden" name="csrfmiddlewaretoken" value="...">).

[Stormheg]

Thanks for the report!

Originally, my proof of concept retrieved the CSRF token from a hidden input. If I recall my reasoning correctly, I changed that to retrieve from a cookie instead under the assumption that is always available and a hidden input might not be. Turns out that is a wrong assumption.

Would you be up to opening a pull request? The JS that goes looking for the CSRF token lives here:

django-otp-webauthn/client/src/utils.ts

Line 23 in 6c25bc4

export async function getCSRFToken(config: Config): Promise<string> {

Falling back to looking for an input on the page sounds like it would do the job.

[nijel]

Sorry, if it would be in Python, I'd do it, but typescript is out of my abilities.