refactor(api): Make sure CSRF_TRUSTED_ORIGIN always has a protocol prefix

Part-of: <https://dev.funkwhale.audio/funkwhale/funkwhale/-/merge_requests/2709>

api/config/settings/common.py

@@ -2,7 +2,7 @@ import logging.config
 import sys
 import warnings
 from collections import OrderedDict
-from urllib.parse import urlsplit
+from urllib.parse import urlparse, urlsplit
 
 import environ
 from celery.schedules import crontab
@@ -224,6 +224,13 @@ ALLOWED_HOSTS = env.list("DJANGO_ALLOWED_HOSTS", default=[]) + [FUNKWHALE_HOSTNA
 List of allowed hostnames for which the Funkwhale server will answer.
 """
 
+CSRF_TRUSTED_ORIGINS = [urlparse(o, FUNKWHALE_PROTOCOL).geturl() for o in ALLOWED_HOSTS]
+"""
+List of origins that are trusted for unsafe requests
+We simply consider all allowed hosts to be trusted origins
+See https://docs.djangoproject.com/en/4.2/ref/settings/#csrf-trusted-origins
+"""
+
 # APP CONFIGURATION
 # ------------------------------------------------------------------------------
 DJANGO_APPS = (

api/config/settings/local.py

@@ -96,8 +96,6 @@ CELERY_TASK_ALWAYS_EAGER = False
 
 # Your local stuff: Below this line define 3rd party library settings
 
-CSRF_TRUSTED_ORIGINS = [o for o in ALLOWED_HOSTS]
-
 REST_FRAMEWORK["DEFAULT_SCHEMA_CLASS"] = "funkwhale_api.schema.CustomAutoSchema"
 SPECTACULAR_SETTINGS = {
     "TITLE": "Funkwhale API",

api/config/settings/production.py

@@ -41,14 +41,6 @@ SECRET_KEY = env("DJANGO_SECRET_KEY")
 # SESSION_COOKIE_HTTPONLY = True
 # SECURE_SSL_REDIRECT = env.bool("DJANGO_SECURE_SSL_REDIRECT", default=True)
 
-# SITE CONFIGURATION
-# ------------------------------------------------------------------------------
-# Hosts/domain names that are valid for this site
-# See https://docs.djangoproject.com/en/1.6/ref/settings/#allowed-hosts
-CSRF_TRUSTED_ORIGINS = ALLOWED_HOSTS
-
-# END SITE CONFIGURATION
-
 # Static Assets
 # ------------------------
 STATICFILES_STORAGE = "django.contrib.staticfiles.storage.StaticFilesStorage"