Merge pull request #30 from dmdhrumilmistry/29-csrf-verification-failed

csrf bug fix

GooglePhish/settings.py

@@ -33,7 +33,7 @@
 DEBUG = True if environ.get('DEBUG','False').lower() == 'true' else False
 
 ALLOWED_HOSTS = environ.get('ALLOWED_HOSTS', '*').split(',')
-
+CSRF_TRUSTED_ORIGINS_VARIABLE = [origin.strip() for origin in environ.get('CSRF_TRUSTED_ORIGINS','').split(',')]
 
 # Application definition
 
@@ -140,4 +140,7 @@
 
 # Comment STATIC_ROOT when debug is True
 # Never use STATICFILES_DIRS and STATIC_ROOT both at the same time
-STATIC_ROOT = os.path.join(BASE_DIR, 'serve_static')
+STATIC_ROOT = os.path.join(BASE_DIR, 'serve_static')
+
+## accept CSRF tokens from different domains
+CSRF_TRUSTED_ORIGINS = CSRF_TRUSTED_ORIGINS_VARIABLE

Makefile

@@ -0,0 +1,2 @@
+run:
+	@python manage.py runserver 8000

README.md

@@ -122,20 +122,28 @@ If you have build the dockerfile with no arguments, the default credentials are
 
     > Use `--insecure` tag if any issue is encountered while loading static files.
 
-## Generate and update new random key before using GooglePhish
+## Update `.env` file
 
-- Generate and copy new key
+- Env File template
+
+    ```bash
+    DJANGO_SECRET_KEY=secret_key
+    DEBUG=False
+    ALLOWED_HOSTS=*
+    CSRF_TRUSTED_ORIGINS=https://your-domain.ngrok-free.app,https://domain.localhost.run
+    ```
+
+- Generate and copy new secret key
 
     ```bash
     python3 generate_new_key.py
     ```
 
-- update secret key in settings.py of GooglePhish on line 23
+- Set `DEBUG` variable to `True` only during development stage, else use `False`
+
+- Set `CSRF_TRUSTED_ORIGINS` while using ssh tunnels such as `ngrok` and `localhost.run`.
 
-  ```python
-    # SECURITY WARNING: keep the secret key used in production secret!
-    SECRET_KEY = 'your_new_key'
-  ```
+- update values in `.env` file
   
 ## View Passwords using GooglePhish Dashboard Page
 

manage.py

@@ -1,4 +1,3 @@
-#!/usr/bin/env python
 """Django's command-line utility for administrative tasks."""
 import os
 import sys