4

My current setup is AngularJS + Django 1.5 and I have completely thrown away the use of Django's template engine (ie. the backend is pretty much an API server).

Since I am not using the csrf_token template tag, Django, in turn, does not set and send the csrftoken cookie in response. As instructed by the official docs, the ensure_csrf_cookie() decorator should be used to force the decorated view to send the csrftoken cookie.

I have applied the ensure_csrf_cookie() decorator to the view, which serves the first GET request that my web client calls at bootstrapping. With that, my web client gets a hold of the CSRF token and henceforth is allowed to call unsafe methods (ex. POST) to the server.

The above setup works fine only if the CSRF token remains the same until the browsing session ends.

Question: Does Django's CSRF token get updated during the course of a browsing session? If 'yes', does that mean I would need to apply the ensure_csrf_cookie() decorator to all the views I have?

tamakisquare
  • 16,659
  • 26
  • 88
  • 129
  • 1) not likely, but IMHO it is an implementation detail and I advice against relying on this behavior. 2) Just write a Mixin or a View base class decorated by `ensure_csrf_cookie()` and use it as the base for your API view (probably there is a lot of boilerplate code you can move there as well). – Paulo Scardine Dec 03 '13 at 21:24
  • Thx @PauloScardine. I agree with what you said. Would there be any security implications if the csrf token cookie is set for all server responses? – tamakisquare Dec 04 '13 at 00:11
  • AFAIK there is no security implication and frameworks like Django-REST-Framework do this - in fact you should consider it in the next project since it buys you things like pagination, throttling and a fancy permission system. – Paulo Scardine Dec 04 '13 at 12:12
  • @PauloScardine - LOL. I am using Django REST Framework for the current project. I love it. But I don't see that the rest_framework is forcing CSRF cookie in its base view (ie. APIView) nor any of its generic views. Am I missing something? Note that I have rest_framework v2.3.8. – tamakisquare Dec 04 '13 at 20:53
  • Do you have session-based authentication on? – Paulo Scardine Dec 05 '13 at 04:22
  • @PauloScardine - Yes, 'rest_framework.authentication.SessionAuthentication' is the only authentication scheme configured for my project. – tamakisquare Dec 05 '13 at 08:01
  • I have the same setup and it works for me by default (csrf token cookie is sent with every request), so I can't reproduce your problem. – Paulo Scardine Dec 06 '13 at 01:29
  • @PauloScardine - Does your API server serve HTML response, including BrowsableAPI, by any chance? By looking at the django source, it seems to be that the csrf cookie is automatically included only when `RequestContext` is used. My API server serves only JSON, so that explains why I have to manually force the inclusion of the cookie. – tamakisquare Dec 06 '13 at 02:35
  • bingo; I serve the app HTML from django, so the session cookies are there when Angular bootstraps. – Paulo Scardine Dec 06 '13 at 03:17
  • @PauloScardine - Mystery solved! It had been bugging my head. Thx for your responses. Post your original comment as an answer. I'll accept it. – tamakisquare Dec 06 '13 at 03:52

2 Answers2

5

1) Does Django's CSRF token get updated during the course of a browsing session?

Looks like the CSRF token is unique per session, but it is based in my observations, I have no "official" source. With Angular.js I use the following code without problems:

angular.module('app', ...)
  .config(function($httpProvider) {
    var cookies = document.cookie.split(';');
    var csrftoken = _.find(cookies, function(v) { 
                      return v.trim().indexOf('csrftoken=') == 0; 
                    });
    if(csrftoken) {
      $httpProvider.defaults.headers.common['X-CSRFToken'] = csrftoken.split('=')[1];
    }
  })

Since I serve the HTML from Django, by the time Angular bootstraps the cookie is already there.

2) If 'yes', does that mean I would need to apply the ensure_csrf_cookie() decorator to all the views I have?

You can try CORS instead if CSRF. Otto Yiu maintains the django-cors-headers package, which is known to work correctly with REST framework APIs.

Some (untested) ideas to apply ensure_csrf_cookie():

  • monkey-patch APIView
  • create a CSRFCookie mixin and add it to your views
  • apply ensure_csrf_cookie() to your base classes
Paulo Scardine
  • 73,447
  • 11
  • 124
  • 153
1

Giving support to the @Paulo Scardine ideas of applying the ensure_csrf_cookie() (which I consider valid, and useful), I would like to add a new one possible solution to it, if you definitely have to ensure_csrf_cookie() in all your views. You could write a custom middleware, and implement the logic that is there inside the ensure_csrf_cookie. Something like this:

On your app.middleware.py:

from django.middleware.csrf import get_token


class EnsureCsrfCookie(object):

    def process_request(self, request):
        # Forces process_response to send the cookie
        get_token(request)

and of courses on your settings file add the middleware to the MIDDLEWARE_CLASSES:

MIDDLEWARE_CLASSES = (
    .,
    .,
    .,
    'app.middleware.EnsureCsrfCookie',
    .,
    .,
    .,
)

It is just one idea more to face this problem. I hope it can be useful for somebody in the future.

Vladir Parrado Cruz
  • 2,301
  • 21
  • 27