16

I'm using postman to check json response from my django-rest-framework.

When my first try to post id, email, password through POST method to my django on AWS(amazon web services), it works well. It returned like: 

  {
    "key": "99def123123123123d88e15771e3a8b43e71f"
}

But after first try, the other words, from second try it returned 

{"detail":"CSRF Failed: CSRF token missing or incorrect."}

(Additionally edit +) My putty terminal says "POST /rest-auth/login/ HTTP/1.1" 403 58

I saw http://kechengpuzi.com/q/s31108075, but it is not proper to my case.

and from http://django-rest-framework.narkive.com/sCyJk3hM/authentication-ordering-token-vs-session, i can't find solution which is using postman

  1. How can i use postman appropriately?

  2. Or Could you recommend other tools to use?

I'm making android application with retrofit2 So I need tools to check POST, GET method and responses.

H.fate
  • 644
  • 2
  • 7
  • 18
  • Did you mean you get different results between two request without change anything? – Windsooon Sep 04 '16 at 10:51
  • Yes, i post `{ "username": "thesamething", "email": "thesamething", "password": "thesamething" }` using POST method in first try and other tries. When i use POST method on same way at given DRF html page that i copied from DRF(actually django-rest-auth), this error has not happened. But on postman, it's happened. – H.fate Sep 04 '16 at 11:16
  • Did you set carf token in your request? – Windsooon Sep 04 '16 at 12:58
  • I put Headers `key : e0af91707f0434a1a2a7581dd3f4f48d3bdad717` or `Authorization : e0af91707f0434a1a2a7581dd3f4f48d3bdad717` or `Authorization : "key": "99def123123123123d88e15771e3a8b43e71f"` but it doesn't work. As you said, I think i'm wrong with using header. What is correct way putting authorization key? Where can i check it? – H.fate Sep 04 '16 at 13:48
  • Try setting the X-CSRFToken header in Postman with the received CSRF token (see https://stackoverflow.com/questions/26639169/csrf-failed-csrf-token-missing-or-incorrect/52782448) – Peter F Aug 05 '20 at 10:04

7 Answers7

26

If using token based authentication with DRF don't forget to set it in settings.py. Otherwise you'll get a CSRF error

REST_FRAMEWORK = {
    'DEFAULT_AUTHENTICATION_CLASSES': [
        'rest_framework.authentication.TokenAuthentication',
    ]
}
aris
  • 22,725
  • 1
  • 29
  • 33
14

I was facing the same problem with Postman. I was asked to include a CSRF on every request after getting a token for the first time so I realized that I had Session and Token authentication methods enabled so I commented out the SessionAuthentication line (of course, you could remove it as well)

'DEFAULT_AUTHENTICATION_CLASSES': [
    'rest_framework.authentication.TokenAuthentication',
    # 'rest_framework.authentication.SessionAuthentication',
]

After that, I was able to request a token by using only my credentials without including any CSRF code:

Successful token requests

I think that the fact of having those two auth classes activated was causing Django to muddle up somehow.

desertnaut
  • 57,590
  • 26
  • 140
  • 166
Felipe
  • 643
  • 8
  • 13
  • THANK YOU. Probably an edge case but I ran into this issue still I was stripping out JWT token auth from an app and couldn't figure out the problem. – Tyk Dec 15 '21 at 16:45
8

Your api need CSRF token, you have to add CSRF token to the request(and postman):

data: { csrfmiddlewaretoken: csrf_token, "username": "thesamething", "email": "thesamething", "password": "thesamething" }

You can get CSRF token from your form input field(you will find a hidden field if you use django build-in form api) or if you use Ajax, you can have a look at Cross Site Request Forgery protection.It has nothing to do with your authorization key, your key is use to identify who you are, and CSRF token is to make sure this request is send from your server.

Windsooon
  • 6,864
  • 4
  • 31
  • 50
  • Do i have to add `data: { csrfmiddlewaretoken: csrf_token, "username": "thesamething", "email": "thesamething", "password": "thesamething" }` in postman's Body? Do not change anything in Headers? – H.fate Sep 04 '16 at 16:40
  • Try setting the X-CSRFToken header in Postman with the received CSRF token (see https://stackoverflow.com/a/26639895/8133649) – Peter F Aug 05 '20 at 10:05
6

For me the solution was to add the X-CSRFToken header in Postman (gotten from initial login response in browser)

see https://stackoverflow.com/a/26639895/8133649

Peter F
  • 420
  • 4
  • 12
1

In settings.py file

INSTALLED_APPS = [
...
...
...
...
'rest_framework.authtoken',
...
]

REST_FRAMEWORK = {
    'DEFAULT_AUTHENTICATION_CLASSES': (
        'rest_framework.authentication.TokenAuthentication',
    ),
}

in project urls.py

from rest_framework.authtoken import views

urlpatterns = [
    ....
    path('api-token-auth/',views.obtain_auth_token,name='api-token-auth')

]

Open terminal as

$ pip3 install httpie
$ python3 manage.py createsuperuser # if not created
$ http POST http://localhost:8000/api-token-auth/ username="username" password = "password"   # You will get token key (Just copy it) ex:a243re43fdeg7r4rfgedwe89320

You token key will be also automatically saved in your databases

Go to postman header (like in example) Ex: screenshot from postman ,where and how to paste accessed toke Then insert you token key.

reference to get token key from this video

Shah Vipul
  • 625
  • 7
  • 11
0

i changed request method from post to patch and i could login

Ali Sojudi
  • 1
0

You can either use csrfmiddlewaretoken: csrf_token, in your json data where csrf_token is a valid token, but in a situation where including it you are unable to provide a correct token, comment or remove SessionAuthentication as below.

'DEFAULT_AUTHENTICATION_CLASSES': [
    'rest_framework.authentication.TokenAuthentication',
    # 'rest_framework.authentication.SessionAuthentication',
]
Durodola Opemipo
  • 319
  • 2
  • 12