1

I have an endpoint which is supposed to work like an API:

/reset/<ID>

This will be called via ajax/angular from a separate client (CORS issues already addressed).

Now, if I just publish the endpoint in urls.py, I get an error: 

403 Forbidden
CSRF verification failed. Request aborted.

The reasons are clear to me.

So I investigated and found this @csrf_exempt decorator. With it, it works...but is it ok to do it like this? The request does not follow a request-response cycle, the client may send this reset at any time - so I would not know how to send the X-CSRF-Token header to the client...so maybe in the end it's the only way to go?

transient_loop
  • 5,984
  • 15
  • 58
  • 117
  • 1
    How do you authenticate the client? A CSRF token protects against abuse of the information that is sent on each request by a user or browser agent, such as a cookie that contains the user's session id. If you don't use any such information, you can safely use `@csrf_exempt`. – knbk Oct 19 '15 at 21:07
  • This will be used for resetting the password only, and comes with a login code which is valid one tim only. Thus there can't be a real authentication...the ID is supposed to be unique and not guessable....really copy pasting from other's solutions.... – transient_loop Oct 20 '15 at 01:08
  • @knbk if you like you can provide your comment as an answer, and I will accept it. Your comment actually opened my eyes as to how to correctly do it, which has nothing to do with csrf_exempt, but with having a proper API :) thanks. – transient_loop Oct 21 '15 at 03:18

1 Answers1

1

It depends on how you authenticate the user. A CSRF token protects against abuse of information that is sent on each request by a user or browser agent, such as a cookie that contains the user's session id. If you don't use any such information, you can safely use @csrf_exempt.

knbk
  • 52,111
  • 9
  • 124
  • 122