5

I have a backend API, it's in django and deployed on Google Endpoint. I have a post request that insert data to my DB.

I created a script to use this endpoint but I got this error:

{"detail":"CSRF Failed: Referer checking failed - no Referer."}

Regarding over posts I added the crsf_exempt decorator to my class but it did not change.
I try to add the decorator two ways:

class AddUser(APIView):
    """ Create user and company from csv """

    @method_decorator(csrf_exempt)
    def post(self, request):


@method_decorator(csrf_exempt, name='dispatch')
class AddUser(APIView):
    """ Create user and company from csv """

    def post(self, request):

But both failed.

This is how I contact my endpoint:

resp = requests.request(
    method, url,
    headers={'Authorization': 'Bearer {}'.format(
        open_id_connect_token)}, **kwargs)

Any ideas ? Thanks

EDIT

So I tried to add authentication classes to my views but it appears to be a bad idea. This is being real trouble for me.

I tried to get the csrftoken doing like this:

        client = requests.session()
        # Retrieve the CSRF token first
        client.get(url)  # sets cookie
        print(client.cookies)
        if 'csrftoken' in client.cookies:
            # Django 1.6 and up
            csrftoken = client.cookies['csrftoken']
        else:
            # older versions
            csrftoken = client.cookies

Thing is, I am using IAP to protect my API and I do not have any csrftoken cookie but I do have a something looking like this:

<RequestsCookieJar[<Cookie GCP_IAP_XSRF_NONCE_Q0sNuY-M83380ypJogZscg=1 for ...

How can I use this to make post request to my API ?

Kimor
  • 532
  • 4
  • 17

3 Answers3

2

So this happened to me because I did not set any authentication_classes to my generic view.
When this option is not set Django automatically use the SessionBackend, which need the csrf token.
I fixed it by adding this to my view: authentication_classes = [ModelBackend, GoogleOAuth2]

Sicco
  • 6,167
  • 5
  • 45
  • 61
Kimor
  • 532
  • 4
  • 17
0

@Kimor - Can you try doing this in your urls.py

 from django.views.decorators.csrf import csrf_exempt

url('^test/$', csrf_exempt(views.TestView.as_view())),

The get and post methods defined on the APIView class just tell DRF how the actual view should behave, but the view method that the Django router expects is not actually instantiated until you call TestView.as_view().

  • source

Django REST Framework CSRF Failed: CSRF cookie not set

SDRJ
  • 532
  • 3
  • 11
  • 1
    I have two endpoints and I did this on my path: path('my-path', csrf_exempt(AddUser.as_view()), name='my-path'), But the error is still happening – Kimor Feb 16 '21 at 15:54
0

So after working on this project for a while this is what I learned regarding the CSRF using Django.

First of all, if you are using django templates, or in any cases where your back-end and front-end are running behind the same server the most common practice is to use session for authentication. This is activated by default by DRF.
This means that in your DRF configuration if you do not explicitly set the DEFAULT_AUTHENTICATION_CLASSES option default authentication will be set to Session + BasicAuth.
In this configuration you'll need to manage the CSRF token as described in the documentation (https://docs.djangoproject.com/en/4.0/ref/csrf/).

If your back-end and front-end are separated as in my case, using CSRF is not the only solution or even the recommended one. As in my case I use JWT behind IAP (Identity Aware Proxy, provided by google). I had to write my own authentication classes and then use it in my DRF conf:

REST_FRAMEWORK = {

    'DEFAULT_AUTHENTICATION_CLASSES': [
      'main.authentication_backend.custom_auth.IAPAuthentication'],
    ...

}

Here is explain how to write your own authentication class: https://www.django-rest-framework.org/api-guide/authentication/#custom-authentication.

Kimor
  • 532
  • 4
  • 17