From 0f5294c5e27f1bf29589f8124a25c712ce8cbf41 Mon Sep 17 00:00:00 2001
From: Nikhil <118773738+pablohashescobar@users.noreply.github.com>
Date: Tue, 21 May 2024 15:04:10 +0530
Subject: [PATCH] [WEB - 1387]dev: custom csrf failure view (#4531)

* dev: custom csrf view

* dev: update template to use only css for styling
---
 .../plane/authentication/views/common.py      | 10 ++-
 apiserver/plane/settings/common.py            |  1 +
 apiserver/templates/csrf_failure.html         | 66 +++++++++++++++++++
 3 files changed, 76 insertions(+), 1 deletion(-)
 create mode 100644 apiserver/templates/csrf_failure.html

diff --git a/apiserver/plane/authentication/views/common.py b/apiserver/plane/authentication/views/common.py
index 640f744ce..3e95d6ed8 100644
--- a/apiserver/plane/authentication/views/common.py
+++ b/apiserver/plane/authentication/views/common.py
@@ -1,3 +1,6 @@
+# Django imports
+from django.shortcuts import render
+
 # Third party imports
 from rest_framework import status
 from rest_framework.permissions import AllowAny
@@ -17,7 +20,7 @@ from plane.authentication.adapter.error import (
 )
 from django.middleware.csrf import get_token
 from plane.utils.cache import invalidate_cache
-
+from plane.authentication.utils.host import base_host
 
 class CSRFTokenEndpoint(APIView):
 
@@ -34,6 +37,11 @@ class CSRFTokenEndpoint(APIView):
         )
 
 
+def csrf_failure(request, reason=""):
+    """Custom CSRF failure view"""
+    return render(request, "csrf_failure.html", {"reason": reason, "root_url": base_host(request=request)})
+
+
 class ChangePasswordEndpoint(APIView):
     def post(self, request):
         user = User.objects.get(pk=request.user.id)
diff --git a/apiserver/plane/settings/common.py b/apiserver/plane/settings/common.py
index ed756642b..853478c75 100644
--- a/apiserver/plane/settings/common.py
+++ b/apiserver/plane/settings/common.py
@@ -345,6 +345,7 @@ CSRF_COOKIE_SECURE = secure_origins
 CSRF_COOKIE_HTTPONLY = True
 CSRF_TRUSTED_ORIGINS = cors_allowed_origins
 CSRF_COOKIE_DOMAIN = os.environ.get("COOKIE_DOMAIN", None)
+CSRF_FAILURE_VIEW = "plane.authentication.views.common.csrf_failure"
 
 # Base URLs
 ADMIN_BASE_URL = os.environ.get("ADMIN_BASE_URL", None)
diff --git a/apiserver/templates/csrf_failure.html b/apiserver/templates/csrf_failure.html
new file mode 100644
index 000000000..b5a58cb02
--- /dev/null
+++ b/apiserver/templates/csrf_failure.html
@@ -0,0 +1,66 @@
+<!-- templates/csrf_failure.html -->
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <title>CSRF Verification Failed</title>
+    <style>
+      body {
+        font-family: Arial, sans-serif;
+        background-color: #f8f9fa;
+        padding: 50px;
+        display: flex;
+        justify-content: center;
+        align-items: center;
+        height: 100vh;
+        margin: 0;
+      }
+      .card {
+        max-width: 400px;
+        padding: 30px;
+        background-color: #ffffff;
+        border-radius: 8px;
+        box-shadow: 0 4px 8px rgba(0, 0, 0, 0.1);
+      }
+      .card-header {
+        text-align: center;
+        margin-bottom: 20px;
+      }
+      .btn-primary {
+        display: block;
+        width: 100%;
+        padding: 10px;
+        background-color: #007bff;
+        color: #fff;
+        text-align: center;
+        text-decoration: none;
+        border: none;
+        border-radius: 4px;
+        cursor: pointer;
+      }
+      .btn-primary:hover {
+        background-color: #0056b3;
+      }
+    </style>
+  </head>
+  <body>
+    <div class="card">
+      <div class="card-header">
+        <h3>CSRF Verification Failed</h3>
+      </div>
+      <div class="card-body">
+        <p>
+          It looks like your form submission has expired or there was a problem
+          with your request.
+        </p>
+        <p>Please try the following:</p>
+        <ul>
+          <li>Refresh the page and try submitting the form again.</li>
+          <li>Ensure that cookies are enabled in your browser.</li>
+        </ul>
+        <a href="{{ root_url }}" class="btn-primary">Go to Home Page</a>
+      </div>
+    </div>
+  </body>
+</html>