10

I'm using Django Rest Framework and also django-rest-auth.

I've the standard API endpoints (/login, /logout, /registration...)

With my browser, I can login/list my users/logout. With Insomnia (a API requester), I can't login/logout, I've the error

"CSRF Failed: CSRF token missing or incorrect"

Maybe I need to add the CSRF header, but honestly I don't know where to find this CSRF token... Maybe I need to add some things (@csrf_protect ?) to login endpoint, but am I forced to rewrite completely the default view ?

Sabith
  • 1,628
  • 2
  • 20
  • 38
Isador
  • 121
  • 1
  • 1
  • 6

5 Answers5

20

Solution

You need to set the X-CSRFToken in the Header settings of Insomnia (https://support.insomnia.rest/article/49-cookies ).

  1. Go to Header Settings in Insomnia
  2. Add a new entry X-CSRFToken
  3. Search vor cookie, click on Request => Cookie
  4. Click again on Request => Cookie
  5. Type csrftoken into Cookie Name
  6. Click Done

and try it again.

How to solve "CSRF Failed: CSRF token missing or incorrect" with Django, Rest and Insomnia

Explanation

The CSRF Token is set by Django in the cookie. This is done within the first request to the server. Then the value of the cookie is send back to the server within the heaader as X-CSRF-Token.

You can see whats going on in the debugger of your browser (F12 in Chrome)

  1. csrftoken Cookie is set enter image description here

  2. csrftoken is send back as X-CSRF-Token to the server within the Request Header enter image description here

basti500
  • 600
  • 4
  • 20
2

Mentioning as an answer rather than a comment because of low reputation.

Adding an entry named X-CSRFTOKEN works. But for that to work, make sure you have some urls which don't require csrftoken and make a request. The solution will only work after making a successful request to the API, or else Insomnia doesn't get the token from the server and No cookies in store for URL error will appear.

ZephyRr Mahesh
  • 77
  • 5
1

In addition to @basti500's answer.

Using X-CSRFTOKEN instead of X-CSRFToken works with Django's default CSRF_HEADER_NAME which is HTTP_X_CSRFTOKEN.

That is:

  1. Go to Header tab in Insomnia
  2. Add a new entry X-CSRFTOKEN
  3. Search vor cookie, click on Request => Cookie
  4. Click again on Request => Cookie
  5. Type csrftoken into Cookie Name
  6. Click Done

Make sure to check if the CSRF_HEADER_NAME is set in Django's settings.py

David Parseen Maitoyo
  • 56
  • 5
0

basti500's answer worked for me. But it gave me a 405 Method Not Allowed

I had mistakenly added an / at the end of my endpoint, just removing it worked fine for me without any extra headers.

sm7
  • 53
  • 8
0

If you've wandered here but are just using Django for the web server and Insomnia (or Postman), here's how I got the CSRF Token

Create an endpoint:

from django.views.decorators.csrf import get_token

urlpatterns = [
    # ...other URL patterns...
    path('api/csrf-token/', get_token, name='api-csrf-token'),
]

Start your Django server and make a request to the /api/csrf-token/. This request will return the CSRF token in the response.

Copy the CSRF token from the cookie response.

In Insomnia:

Open your request in Insomnia or create a new request. Go to the "Headers" tab. Add a new header with the name "X-CSRFToken" and paste the CSRF token value as the header value. Send your request.

m1771vw
  • 703
  • 2
  • 11
  • 21