CSRF Exempt Failure - APIView csrf django rest framework

Question

CSRF Exempt Failure - APIView csrf django rest framework

I have the following code:

The problem is that when I try to access the username / I get the error message: "CSRF Failed: CSRF cookie not set."

What can I do?

I am using django rest framework.

urls.py: url(r'^user-login/$', csrf_exempt(LoginView.as_view()), name='user-login'), views.py: class LoginView(APIView): """ List all snippets, or create a new snippet. """ def get(self, request, format=None): startups = Startup.objects.all() serializer = StartupSerializer(startups, many=True) return Response(serializer.data) def post(self, request, format=None): profile = request.POST if ('user_name' not in profile or 'email_address' not in profile or 'oauth_secret' not in profile): return Response( {'error': 'No data'}, status=status.HTTP_400_BAD_REQUEST) username = 'l' + profile['user_name'] email_address = profile['email_address'] oauth_secret = profile['oauth_secret'] password = oauth_secret

+8

python django django-rest-framework

user2237822 May 11, '13 at 21:12

source share

3 answers

maersu · Answer 1 · 2013-07-02T11:12:49+0000

I assume that you are using the django rest SessionBackend framework . This backend performs a hidden CSRF check.

You can avoid this:

 from rest_framework.authentication import SessionAuthentication class UnsafeSessionAuthentication(SessionAuthentication): def authenticate(self, request): http_request = request._request user = getattr(http_request, 'user', None) if not user or not user.is_active: return None return (user, None)

And set this as authentication_classes in your view

 class UnsafeLogin(APIView): permission_classes = (AllowAny,) #maybe not needed in your case authentication_classes = (UnsafeSessionAuthentication,) def post(self, request, *args, **kwargs): username = request.DATA.get("u"); password = request.DATA.get("p"); user = authenticate(username=username, password=password) if user is not None: login(request, user) return redirect("/")

Alexander Artemenko · Answer 2 · 2015-02-03T13:45:36+0000

Actually, the best way to disable csrf checking inside SessionAuthentication:

 from rest_framework.authentication import SessionAuthentication as OriginalSessionAuthentication class SessionAuthentication(OriginalSessionAuthentication): def enforce_csrf(self, request): return

Anderson · Answer 3 · 2015-10-17T18:12:48+0000

The easiest way to solve this problem:

To do this, there are two authentication methods in drf, see drf auth

BasicAuthentication

SessionAuthentication (default)

SessionAuthentication has a forced csrf check, but BasicAuthentication does not. Thus, my method uses BasicAuthentication in my view instead of SessionAuthentication.

 from rest_framework.authentication import BasicAuthentication class UserLogin(generics.CreateAPIView): permission_classes = (permissions.AllowAny,) serializer_class = UserSerializer authentication_classes = (BasicAuthentication,) def post(self, request, *args, **kwargs): return Response({})

CSRF Exempt Failure - APIView csrf django rest framework

More articles: