CSRF error when using rest_framework.authtoken.views.obtain._auth_token

Question

I am calling obtain.auth_token from urls as follows

url(r'^api-token/','rest_framework.authtoken.views.obtain_auth_token')

I get back

{
detail: "CSRF Failed: CSRF token missing or incorrect."
}

I am wondering why this happends as I was under the impression django-rest-framework was usualy CSRF exempt

Thanks

does this link help? https://groups.google.com/forum/?fromgroups#!topic/django-rest-framework/JCf4MwNtfwM — karthikr, Jun 15 '13 at 01:12

score 2 · Answer 1 · answered Jan 20 '14 at 01:52

2

That view uses a POST. DRF always requires CSRF for session-authenticated POST's.

Sensitive requests like getting an auth token should use POST for just this reason.

answered Jan 20 '14 at 01:52

paulmelnikow

score 2 · Answer 2 · answered Mar 25 '14 at 10:53

2

I had the exact same issue. Check if you have sign out of the browser.

answered Mar 25 '14 at 10:53

Ryu_hayabusa

I have had to sign out, and refresh login page, then works great. Thx! – Ronaldo Matos Aug 30 '21 at 02:13

score 2 · Answer 3 · answered Jan 27 '15 at 22:40

2

I just ran into this too. Adding an answer in case this was unclear to anyone else.

Make sure you're not requesting in a context where you're already signed in, e.g. from the browser (log out, try in incognito mode, or clear your cookies if you are).
Make sure you're actually using the api-token endpoint correctly. I was initially trying to use Basic Auth, assuming this token-generating view was protected, but DRF actually expects form data containing username and password fields instead.

Here's a working example using requests:

r = requests.post('http://example.com/api-token/'), data={
    'username': username,
    'password': password,
})
token = r.json()['token']

answered Jan 27 '15 at 22:40

Joe

1

Just for future reference: "Note that the default obtain_auth_token view explicitly uses JSON requests and responses, rather than using default renderer and parser classes in your settings. If you need a customized version of the obtain_auth_token view, you can do so by overriding the ObtainAuthToken view class, and using that in your url conf instead." at http://www.django-rest-framework.org/api-guide/authentication/#tokenauthentication – MariusSiuram Jan 02 '16 at 09:48
@MariusSiuram Thanks for the heads up! – Joe Jan 02 '16 at 18:29

score 0 · Answer 4 · edited May 23 '17 at 10:29

0

... if you are using angularjs you can check it Django csrf token + Angularjs

edited May 23 '17 at 10:29

Community

answered Apr 06 '15 at 03:36

Javier Gutierrez

4 Answers4