diff --git a/posthog/middleware.py b/posthog/middleware.py index f71d6fbc7bdb1..ee73a98ce4737 100644 --- a/posthog/middleware.py +++ b/posthog/middleware.py @@ -15,7 +15,6 @@ from django.utils.cache import add_never_cache_headers from django_prometheus.middleware import Metrics, PrometheusAfterMiddleware, PrometheusBeforeMiddleware from rest_framework import status -from revproxy.views import ProxyView from statshog.defaults.django import statsd from posthog.api.capture import get_event @@ -27,7 +26,7 @@ from posthog.metrics import LABEL_TEAM_ID from posthog.models import Action, Cohort, Dashboard, FeatureFlag, Insight, Team, User from posthog.rate_limit import DecideRateThrottle -from posthog.settings import SITE_URL +from posthog.settings import SITE_URL, DEBUG from posthog.settings.statsd import STATSD_HOST from posthog.user_permissions import UserPermissions from .auth import PersonalAPIKeyAuthentication @@ -45,6 +44,9 @@ "_health", ] +if DEBUG: + ALWAYS_ALLOWED_ENDPOINTS.append("i") + default_cookie_options = { "max_age": 365 * 24 * 60 * 60, # one year "expires": None, @@ -113,6 +115,8 @@ def process_view(self, request, callback, callback_args, callback_kwargs): # if super().process_view did not find a valid CSRF token, try looking for a personal API key if result is not None and PersonalAPIKeyAuthentication.find_key_with_source(request) is not None: return self._accept(request) + if DEBUG and request.path.split("/")[1] in ALWAYS_ALLOWED_ENDPOINTS: + return self._accept(request) return result def _accept(self, request): @@ -319,24 +323,6 @@ def __call__(self, request: HttpRequest): return response -# Used on local devenv to forward `/i/` to capture-rs on port 3000 -class CaptureRsProxy(ProxyView): - upstream = "http://localhost:3000" - - -# Used on local devenv to forward `/i/` to capture-rs on port 3000 -class CaptureRsProxyMiddleware: - def __init__(self, get_response): - self.get_response = get_response - self.view = CaptureRsProxy.as_view() - - def __call__(self, request: HttpRequest): - if request.path.startswith("/i/"): - return self.view(request, request.path.lstrip("/")) - else: - return self.get_response(request) - - class CaptureMiddleware: """ Middleware to serve up capture responses. We specifically want to avoid diff --git a/posthog/settings/web.py b/posthog/settings/web.py index 591d6a58b95c8..c732c7a8e4314 100644 --- a/posthog/settings/web.py +++ b/posthog/settings/web.py @@ -113,10 +113,7 @@ MIDDLEWARE.append("django_statsd.middleware.StatsdMiddlewareTimer") if DEBUG: - # Used on local devenv to forward `/i/` to capture-rs on port 3000, - # we short-circuit the whole middleware chain to avoid CSRF and auth errors, - # like CaptureMiddleware does. - MIDDLEWARE.insert(0, "posthog.middleware.CaptureRsProxyMiddleware") + # Used on local devenv to reverse-proxy all of /i/* to capture-rs on port 3000 INSTALLED_APPS.append("revproxy") # Append Enterprise Edition as an app if available diff --git a/posthog/urls.py b/posthog/urls.py index 6bae5317165a2..68b45734d5377 100644 --- a/posthog/urls.py +++ b/posthog/urls.py @@ -8,6 +8,7 @@ from django.views.decorators.csrf import csrf_exempt, ensure_csrf_cookie, requires_csrf_token from django_prometheus.exports import ExportToDjangoView from drf_spectacular.views import SpectacularAPIView, SpectacularRedocView, SpectacularSwaggerView +from revproxy.views import ProxyView from sentry_sdk import last_event_id from two_factor.urls import urlpatterns as tf_urls @@ -176,6 +177,10 @@ def opt_slash_path(route: str, view: Callable, name: Optional[str] = None) -> UR # what we do. urlpatterns.append(path("_metrics", ExportToDjangoView)) + # Reverse-proxy all of /i/* to capture-rs on port 3000 + urlpatterns.append(re_path(r"(?P^i/.*)", ProxyView.as_view(upstream="http://localhost:3000"))) + + if settings.TEST: # Used in posthog-js e2e tests