From 12f8268cf727696db700c5792d597a391ef3491f Mon Sep 17 00:00:00 2001
From: Xavier Vello <xavier@posthog.com>
Date: Wed, 25 Oct 2023 18:37:48 +0200
Subject: [PATCH] remove middleware

---
 posthog/middleware.py   | 26 ++++++--------------------
 posthog/settings/web.py |  5 +----
 posthog/urls.py         |  5 +++++
 3 files changed, 12 insertions(+), 24 deletions(-)

diff --git a/posthog/middleware.py b/posthog/middleware.py
index f71d6fbc7bdb1..ee73a98ce4737 100644
--- a/posthog/middleware.py
+++ b/posthog/middleware.py
@@ -15,7 +15,6 @@
 from django.utils.cache import add_never_cache_headers
 from django_prometheus.middleware import Metrics, PrometheusAfterMiddleware, PrometheusBeforeMiddleware
 from rest_framework import status
-from revproxy.views import ProxyView
 from statshog.defaults.django import statsd
 
 from posthog.api.capture import get_event
@@ -27,7 +26,7 @@
 from posthog.metrics import LABEL_TEAM_ID
 from posthog.models import Action, Cohort, Dashboard, FeatureFlag, Insight, Team, User
 from posthog.rate_limit import DecideRateThrottle
-from posthog.settings import SITE_URL
+from posthog.settings import SITE_URL, DEBUG
 from posthog.settings.statsd import STATSD_HOST
 from posthog.user_permissions import UserPermissions
 from .auth import PersonalAPIKeyAuthentication
@@ -45,6 +44,9 @@
     "_health",
 ]
 
+if DEBUG:
+    ALWAYS_ALLOWED_ENDPOINTS.append("i")
+
 default_cookie_options = {
     "max_age": 365 * 24 * 60 * 60,  # one year
     "expires": None,
@@ -113,6 +115,8 @@ def process_view(self, request, callback, callback_args, callback_kwargs):
         # if super().process_view did not find a valid CSRF token, try looking for a personal API key
         if result is not None and PersonalAPIKeyAuthentication.find_key_with_source(request) is not None:
             return self._accept(request)
+        if DEBUG and request.path.split("/")[1] in ALWAYS_ALLOWED_ENDPOINTS:
+            return self._accept(request)
         return result
 
     def _accept(self, request):
@@ -319,24 +323,6 @@ def __call__(self, request: HttpRequest):
         return response
 
 
-# Used on local devenv to forward `/i/` to capture-rs on port 3000
-class CaptureRsProxy(ProxyView):
-    upstream = "http://localhost:3000"
-
-
-# Used on local devenv to forward `/i/` to capture-rs on port 3000
-class CaptureRsProxyMiddleware:
-    def __init__(self, get_response):
-        self.get_response = get_response
-        self.view = CaptureRsProxy.as_view()
-
-    def __call__(self, request: HttpRequest):
-        if request.path.startswith("/i/"):
-            return self.view(request, request.path.lstrip("/"))
-        else:
-            return self.get_response(request)
-
-
 class CaptureMiddleware:
     """
     Middleware to serve up capture responses. We specifically want to avoid
diff --git a/posthog/settings/web.py b/posthog/settings/web.py
index 591d6a58b95c8..c732c7a8e4314 100644
--- a/posthog/settings/web.py
+++ b/posthog/settings/web.py
@@ -113,10 +113,7 @@
     MIDDLEWARE.append("django_statsd.middleware.StatsdMiddlewareTimer")
 
 if DEBUG:
-    # Used on local devenv to forward `/i/` to capture-rs on port 3000,
-    # we short-circuit the whole middleware chain to avoid CSRF and auth errors,
-    # like CaptureMiddleware does.
-    MIDDLEWARE.insert(0, "posthog.middleware.CaptureRsProxyMiddleware")
+    # Used on local devenv to reverse-proxy all of /i/* to capture-rs on port 3000
     INSTALLED_APPS.append("revproxy")
 
 # Append Enterprise Edition as an app if available
diff --git a/posthog/urls.py b/posthog/urls.py
index 6bae5317165a2..68b45734d5377 100644
--- a/posthog/urls.py
+++ b/posthog/urls.py
@@ -8,6 +8,7 @@
 from django.views.decorators.csrf import csrf_exempt, ensure_csrf_cookie, requires_csrf_token
 from django_prometheus.exports import ExportToDjangoView
 from drf_spectacular.views import SpectacularAPIView, SpectacularRedocView, SpectacularSwaggerView
+from revproxy.views import ProxyView
 from sentry_sdk import last_event_id
 from two_factor.urls import urlpatterns as tf_urls
 
@@ -176,6 +177,10 @@ def opt_slash_path(route: str, view: Callable, name: Optional[str] = None) -> UR
     # what we do.
     urlpatterns.append(path("_metrics", ExportToDjangoView))
 
+    # Reverse-proxy all of /i/* to capture-rs on port 3000
+    urlpatterns.append(re_path(r"(?P<path>^i/.*)", ProxyView.as_view(upstream="http://localhost:3000")))
+
+
 if settings.TEST:
 
     # Used in posthog-js e2e tests