Extension demo (PR #2126)


Codecov Report

Attention: Patch coverage is 77.77778% with 4 lines in your changes are missing coverage. Please review.

Project coverage is 74.87%. Comparing base (73d3a73) to head (81f2da3).
Report is 3 commits behind head on dev.

Additional details and impacted files
@@             Coverage Diff             @@
##              dev    #2126       +/-   ##
- Coverage   97.81%   74.87%   -22.95%     
  Files         156      160        +4     
  Lines       21734    21838      +104     
- Hits        21259    16351     -4908     
- Misses        475     5487     +5012     

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

With the current setup, static files appear like this in rendered HMTL: <script src="/static/js/htmx.org@1.9.12.min.e69c8a6a4553.js"></script>

Serving static files on s3 makes it easier for the HTML rendered by our views to work on a different origin because the paths will be like this instead: <script src="https://ankihubfb.s3.amazonaws.com/static/js/htmx.org%401.9.12.min.js"></script>

This is also good for performance, generally: How to deploy static files | Django documentation | Django

CORS headers will only be added to responses for requests where

  • the URL matches `CORS_URLS_REGEX
  • the origin matches CORS_ALLOWED_ORIGIN_REGEXES

The CSRF token is added here, as expected. However, it isn’t currently needed. Django doesn’t seem to check the CSRF token for views that use the @knox_token_or_login_required decorator. (at least I think it’s due to that decorator). We should probably fix this. I.e., make it so Django still applies CSRF checks for these views.

We could use something like this to solve this issue: https://github.com/ankipalace/ankihub/pull/2132

I’m not actually sure that what I said above is an issue because the csrf token is only used for unsafe methods. GET requests are considered safe: django/django/middleware/csrf.py at main · django/django · GitHub

But we might need other types of requests (besides GET requests) somewhere on the AnkiHub AI views, right?

maybe, but I don’t think we’d need to do anything special. point is, I don’t think using knox_token_or_login_required was the cause of the csrf check being skipped.

Ok, but if we needed to make requests that typically use the CSRF token validation, that would be problematic if we don’t do anything (either the validation would be skipped or it would fail).

Any thoughts on https://github.com/ankipalace/ankihub/pull/2132 in general?

why would it be skipped or fail?

take a look at django allauth headless: