6

My app uses django rest_framework and SessionAuthentication. I can login successfully and have session id and csrf token set in cookie. However, POST request still complains CSRF failure.

  1. Login with rest_framework BasicAuthentication; session id and csrf token are set cookie
  2. copy and paste csrf token value to Post request header with key "X-CSRFTOKEN" and value from cookie.
  3. django.middleware.csrf.CsrfViewMiddleware are in Middleware classes in settings.py

I test with Postman and got

{"detail":"CSRF Failed: CSRF token missing or incorrect."}

class ApiLoginView(APIView):

  authentication_classes = (BasicAuthentication, )
  permission_classes = (IsAuthenticated,)

  def post(self, request, *args, **kwargs):
    # use django.contrib.auth.login
    login(request, request.user)
    user = request.user
    return Response("login success")

class ApiUserView(APIView):

  authentication_classes = (SessionAuthentication,)
  permission_classes = (IsAuthenticated,)

  def post(self, request):
    return Response("ApiUser Post Success")

  1. Is Postman a correct tool for testing? this seems to be a similar problem in Postman

  2. Any thing I am missing? and what are the options for me to test django_rest_framework.

Sorry it seems to be a common problems but I cannot find work it through after reading related posts.

Improve this question
5
  • Try clear cookies! csrf exempt by default in DRF. But postman included csrf token if it is found in Cookies so that error. May be clear cookies after login and make post call. Also check with curl without csrf. It may works... Commented Jun 7, 2017 at 8:24
  • 1
    @RajaSimon DRF explicitly checks the CSRF token when using session authentication. If you don't use a token, DRF will certainly reject the request. Commented Jun 7, 2017 at 10:24
  • 2
    I had that problem a few days back. You need a valid refferer. The error can be misleading sometimes. Commented Jun 7, 2017 at 19:31
  • @RajaSimon I removed csrf token from cookie and POST request still doesn't work. To my understanding, DRF session authentication checks CSRF. And CSRF compares the value of csrf token between request header and cookie value. We need csrf token in both cookie and header to make it work. Is it correct? Commented Jun 8, 2017 at 2:44
  • @WilliamR.Marchand Thanks. How to set correct refferer in Postman? Could you please share how to get around of it in Postman or other API testing platform? Commented Jun 8, 2017 at 2:48

1 Answer 1

Reset to default
4

You can indeed use Postman to test Django Rest Framework using session authentication. And it would appear that the OP has ticked all the boxes. However as a check list I offer this set of steps, which work for me.

When using DRF, Postman and django Session Authentication you need to configure your postman client as follows (note the values for the X-CSRFToken and sessionid come from a cookie viewer in your browser-open the cookie viewer and copy out the values) :

  1. set the headers in Postman as follows (in this case its a PATCH but could as easily be a POST): enter image description here

  2. Again in Postman set the Body to be raw and insert the JSON data to be sent as follows: Here I am changing the telephone number for the client.

    { "telefone": "42-42424242"

    }

  3. Set up a cookie called csrftoken and a cookie called sessionid enter image description here

The csrf cookie should have the same value as the X-CSRFToken header in step 1, i.e. enter image description here

With these three elements in place, and your DRF correctly configured you should be good to go. In settings for DRF check that SessionAuthentication is included :

REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES': (
    'rest_framework.authentication.SessionAuthentication',
),....
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.