Samesite setting not being set on HttpOnly token delete

[aaonhub]

sorry if there's some standard I'm not following it's my first github issue submission

I don't know why but getting the token works fine but trying to delete it ignores the samesite setting.

My django settings (I tried commenting out the samesite setting but nothing changed):

GRAPHQL_JWT = {
    "JWT_COOKIE_SECURE": True,
    "JWT_COOKIE_SAMESITE": "None",

    # optional
    "JWT_LONG_RUNNING_REFRESH_TOKEN": True,
}

My apollo client HttpLink:

 const link = new HttpLink({
	uri: 'http://127.0.0.1:8000/',
	credentials: 'include',
 });

Token mutation

Deleting token mutation

[letops]

Can confirm. This same thing is happening to me, the only difference is that I am not using the Long Running Refresh Tokens

[aaonhub]

I feel like this a pretty major bug. Is nobody else having this problem?

[cadiente-jomel]

@aaonhub I'm having the same problem, did you already solve the problem?

[JamieOWilliams]

It looks like the method used to delete cookies simply ignores the samesite setting.

django-graphql-jwt/graphql_jwt/utils.py

Lines 139 to 144 in 704f24e

	def delete_cookie(response, key):
	response.delete_cookie(
	key,
	path=jwt_settings.JWT_COOKIE_PATH,
	domain=jwt_settings.JWT_COOKIE_DOMAIN,
	)

After a quick test the following change works:

def delete_cookie(response, key):
    kwargs = {
        "path": jwt_settings.JWT_COOKIE_PATH,
        "domain": jwt_settings.JWT_COOKIE_DOMAIN,
    }
    if django.VERSION >= (2, 1):
        kwargs["samesite"] = jwt_settings.JWT_COOKIE_SAMESITE

    response.delete_cookie(key, **kwargs)