From ca0e86757b965dee26ba9b5d62328f3b9326cfbe Mon Sep 17 00:00:00 2001
From: Michael Shamoon <4887959+shamoon@users.noreply.github.com>
Date: Thu, 7 Apr 2022 21:17:59 -0700
Subject: [PATCH] add PAPERLESS_URL env variable for CSRF

---
 docker/compose/docker-compose.env |  4 ++++
 install-paperless-ngx.sh          | 12 +++++++++++
 paperless.conf.example            |  6 ++++--
 src/paperless/settings.py         | 33 ++++++++++++++++++++++++-------
 4 files changed, 46 insertions(+), 9 deletions(-)

diff --git a/docker/compose/docker-compose.env b/docker/compose/docker-compose.env
index e9e8ecb06..34e694b92 100644
--- a/docker/compose/docker-compose.env
+++ b/docker/compose/docker-compose.env
@@ -22,6 +22,10 @@
 # Docker setup does not use the configuration file.
 # A few commonly adjusted settings are provided below.
 
+# This is required if you will be exposing Paperless-ngx on a public domain
+# (if doing so please consider security measures such as reverse proxy)
+#PAPERLESS_URL=https://paperless.example.com
+
 # Adjust this key if you plan to make paperless available publicly. It should
 # be a very long sequence of random characters. You don't need to remember it.
 #PAPERLESS_SECRET_KEY=change-me
diff --git a/install-paperless-ngx.sh b/install-paperless-ngx.sh
index 1eb689c85..6ffcefbb6 100755
--- a/install-paperless-ngx.sh
+++ b/install-paperless-ngx.sh
@@ -92,6 +92,14 @@ echo ""
 echo "1. Application configuration"
 echo "============================"
 
+echo ""
+echo "The URL paperless will be available at. This is required if the"
+echo "installation will be accessible via the web, otherwise can be left blank."
+echo ""
+
+ask "URL" ""
+URL=$ask_result
+
 echo ""
 echo "The port on which the paperless webserver will listen for incoming"
 echo "connections."
@@ -278,6 +286,7 @@ if [[ "$DATABASE_BACKEND" == "postgres" ]] ; then
 	fi
 fi
 echo ""
+echo "URL: $URL"
 echo "Port: $PORT"
 echo "Database: $DATABASE_BACKEND"
 echo "Tika enabled: $TIKA_ENABLED"
@@ -313,6 +322,9 @@ SECRET_KEY=$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 64 | head -n 1)
 DEFAULT_LANGUAGES="deu eng fra ita spa"
 
 {
+	if [[ ! $URL == "" ]] ; then
+		echo "PAPERLESS_URL=$URL"
+	fi
 	if [[ ! $USERMAP_UID == "1000" ]] ; then
 		echo "USERMAP_UID=$USERMAP_UID"
 	fi
diff --git a/paperless.conf.example b/paperless.conf.example
index de24bde74..0b37e210d 100644
--- a/paperless.conf.example
+++ b/paperless.conf.example
@@ -27,8 +27,10 @@
 # Security and hosting
 
 #PAPERLESS_SECRET_KEY=change-me
-#PAPERLESS_ALLOWED_HOSTS=example.com,www.example.com
-#PAPERLESS_CORS_ALLOWED_HOSTS=http://example.com,http://localhost:8000
+#PAPERLESS_URL=https://example.com
+#PAPERLESS_CSRF_TRUSTED_ORIGINS=https://example.com # can be set using PAPERLESS_URL
+#PAPERLESS_ALLOWED_HOSTS=example.com,www.example.com # can be set using PAPERLESS_URL
+#PAPERLESS_CORS_ALLOWED_HOSTS=https://localhost:8080,https://example.com # can be set using PAPERLESS_URL
 #PAPERLESS_FORCE_SCRIPT_NAME=
 #PAPERLESS_STATIC_URL=/static/
 #PAPERLESS_AUTO_LOGIN_USERNAME=
diff --git a/src/paperless/settings.py b/src/paperless/settings.py
index 023f2fa2c..30d6e87c4 100644
--- a/src/paperless/settings.py
+++ b/src/paperless/settings.py
@@ -4,6 +4,7 @@ import multiprocessing
 import os
 import re
 from typing import Final
+from urllib.parse import urlparse
 
 from concurrent_log_handler.queue import setup_logging_queues
 from django.utils.translation import gettext_lazy as _
@@ -219,7 +220,15 @@ if DEBUG:
 else:
     X_FRAME_OPTIONS = "SAMEORIGIN"
 
-# We allow CORS from localhost:8080
+
+# The next 3 settings can also be set using just PAPERLESS_URL
+_csrf_origins = os.getenv("PAPERLESS_CSRF_TRUSTED_ORIGINS")
+if _csrf_origins:
+    CSRF_TRUSTED_ORIGINS = _csrf_origins.split(",")
+else:
+    CSRF_TRUSTED_ORIGINS = []
+
+# We allow CORS from localhost:8000
 CORS_ALLOWED_ORIGINS = tuple(
     os.getenv("PAPERLESS_CORS_ALLOWED_HOSTS", "http://localhost:8000").split(","),
 )
@@ -228,6 +237,22 @@ if DEBUG:
     # Allow access from the angular development server during debugging
     CORS_ALLOWED_ORIGINS += ("http://localhost:4200",)
 
+_allowed_hosts = os.getenv("PAPERLESS_ALLOWED_HOSTS")
+if _allowed_hosts:
+    ALLOWED_HOSTS = _allowed_hosts.split(",")
+else:
+    ALLOWED_HOSTS = ["*"]
+
+_paperless_url = os.getenv("PAPERLESS_URL")
+if _paperless_url:
+    _paperless_uri = urlparse(_paperless_url)
+    CSRF_TRUSTED_ORIGINS.append(_paperless_url)
+    CORS_ALLOWED_ORIGINS += (_paperless_url,)
+    if _allowed_hosts:
+        ALLOWED_HOSTS.append(_paperless_uri.hostname)
+    else:
+        ALLOWED_HOSTS = [_paperless_uri.hostname]
+
 # The secret key has a default that should be fine so long as you're hosting
 # Paperless on a closed network.  However, if you're putting this anywhere
 # public, you should change the key to something unique and verbose.
@@ -236,12 +261,6 @@ SECRET_KEY = os.getenv(
     "e11fl1oa-*ytql8p)(06fbj4ukrlo+n7k&q5+$1md7i+mge=ee",
 )
 
-_allowed_hosts = os.getenv("PAPERLESS_ALLOWED_HOSTS")
-if _allowed_hosts:
-    ALLOWED_HOSTS = _allowed_hosts.split(",")
-else:
-    ALLOWED_HOSTS = ["*"]
-
 AUTH_PASSWORD_VALIDATORS = [
     {
         "NAME": "django.contrib.auth.password_validation.UserAttributeSimilarityValidator",