Wednesday, June 1, 2016

Re: Django API CSRF Issues - Need Help

Hi Chris,
You will have to pass csrf token in http request header while making request using AJAX
This can be done by adding following prior to your ajax request.

var csrftoken = $.cookie('csrftoken');
$.ajaxSetup({
    headers: { "X-CSRFToken": csrftoken }
});

On Saturday, May 21, 2016 at 7:06:15 AM UTC+5:30, Chris Troutner wrote:
Hey all,

This is my first time posting to the group. I'm working with Bob Hagan on the Network Resource Planning (NRP) project. The platform runs on Django and he's been using the REST API app to open up ports to some of the pieces of the software. Right now we're working on an interface for creating new users, which requires the passing of a CSRF token for authentication. I'm having a heck of a time and we can't figure out if the issue is something set up on the server or on my front end code. I'm hoping that the issue might be obvious to someone here. 

First of all, you can access the Django API code in the repository code here:

My front end code is written in JavaScript can be viewed in it's own repository here:

This video gives a visual overview of the user interface and the general issues I'm experiencing:


NRPUsersView.js is a Backbone.js View file. If that doesn't mean anything to you, that's OK. The important thing to notice is the three different ways I tried to access the API.
  1. I use JavaScript to fill out an HTML form. This is currently the only way that works at the moment.

  2. A typical AJAX POST submission

  3. A JavaScript Virtual Form using the FormData object.
Method 3 should be identical to method 1 as far as the server is concerned, but the HTTP headers are slightly different. Like I said, methods 2 and 3 are not working out. I've tweaked the code every which way and I always get a "403 FORBIDDEN Authentication credentials were not provided" message.

According to this Django documentation, there are three possible locations to put the CSRF token:
  1. In the document.cookie

  2. In the HTTP header preceded by "X-CSRFToken"

  3. And a hidden input field in the form

I've tried every combination of the three options for passing the CSRF token and haven't had any luck.


Has anyone had experience implementing this type of API authentication with Django before? Any help you can provide would be appreciated.

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/d67a586f-61e4-4806-a0ac-c76cb3b96f1b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

No comments:

Post a Comment