1

I setup a contentful account for downloading videos and its returning 403 when i tried to add a webhhok to an api in my django rest project. I am new to both django rest and contentful. 

http://my_server_id/testhook

I setup the hook and added my api url. So it called my api when the event triggered. But all time in django rest it shows forbidden.What extra measures should i choose when integrating webhook with django rest?

qwertyui90
  • 191
  • 2
  • 14

1 Answers1

0

Your problem probably because of csrf token, you should pass it in a header with a POST request.
X-CSRFToken: value.
docs about csrf

Like @Linovia said in comment, csrf_exempt already exempted in a view, but because of session there is still an explicit check.
Here is a nice answer about this problem:
Django Rest Framework remove csrf
In a nutshell you could inherit from SessionAuthentication class and override enforce_csrf. 

from rest_framework.authentication import SessionAuthentication 

class CsrfExemptSessionAuthentication(SessionAuthentication):

    def enforce_csrf(self, request):
        return  # To not perform the csrf check previously happening

Set it in a view or in a basic Django REST config: 

authentication_classes = (CsrfExemptSessionAuthentication, BasicAuthentication)
Community
  • 1
  • 1
Ivan Semochkin
  • 8,649
  • 3
  • 43
  • 75
  • It is random string right. How will i know the value of csrf token that should be added in webhook form. – qwertyui90 Feb 16 '17 at 08:54
  • @SkepticalGeek you can see that string in a response from `GET` request to a server. In case of web hook you probably need to use `csrf_exempt` to prevent csrf check in a view. – Ivan Semochkin Feb 16 '17 at 08:58
  • 1
    Your answer is correct except csrf_exempt has no effect on Django REST framework because views are already exempted but DRF's session authentication does an explicit check. – Linovia Feb 16 '17 at 09:40
  • @Linovia thanks for good point, I saw a good answer about `csrf` in a session auth in a DRF, I'll post it here – Ivan Semochkin Feb 16 '17 at 09:48