4

I'm using Server: Django, Gunicorn, ngnix, postgresql

   Client: Chrome Advanced Rest Client

views.py

  from django.views.decorators.csrf import csrf_exempt, **ensure_csrf_cookie**  # Newly added
  from django.http import HttpResponse

  **@ensure_csrf_cookie**   # newly added
  def hello(request):
     return HttpResponse("Hello world")


  def hi(request):
     return HttpResponse("Hi World")

  def display_meta(request):
     values = request.META.items()
     values.sort()
     html = []
     for k, v in values:
       html.append('<tr><td>%s</td><td>%s</td></tr>' % (k, v))
     return HttpResponse('<table>%s</table>' % '\n'.join(html))

  def addUser(request):
    if request.method == 'POST':
    # Convert JSON to python objects and
    # store into the DB
    print 'Raw Json "%s"' % request.body
    #return HttpResponse("%s" %request.body)
    return HttpResponse("Thank God")

url.py

from django.conf.urls import patterns, include, url
from django.contrib import admin
from requests import hello, hi, addUser, display_meta

urlpatterns = patterns('',
    # Examples:
    # url(r'^$', 'testProject.views.home', name='home'),
    # url(r'^blog/', include('blog.urls')),
    url(r'^hello/$', hello),
    url(r'^hi/$', hi),
    url(r'^admin/', include(admin.site.urls)),
    url(r'^addPatient/$', addUser),
    url(r'^displaymeta/$', display_meta),
)

manage.py

# Application definition

INSTALLED_APPS = (
    'django.contrib.admin',
    'django.contrib.auth',
    'django.contrib.contenttypes',
    'django.contrib.sessions',
    'django.contrib.messages',
    'django.contrib.staticfiles',
    'dbTransactions',
)

MIDDLEWARE_CLASSES = (
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.auth.middleware.SessionAuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
                                                              27,18         35%

From Advance Rest Client:

a) GET to hi works fine no error b) POST to addUser gives "CSRF verification failed. Request aborted"

What I tried:

  1. @csrf_exempt in views. - No change in the POST same error
  2. Putting X-CSRF-Token - in POST Header - No change in the POST same error

I would greatly appreciate help on this. I've already read:

tesla
  • 51
  • 1
  • 8
  • Can you show your frontend form? – rnevius May 10 '15 at 05:53
  • How do users authenticate with your service? You import the csrf_exempt decorator, but you are not using it - you could have a csrf_exempt GET view where you put the csrf token into the response: `request.META["CSRF_COOKIE_USED"] = True` and then catch it on the client side to send along with your POST request. – henrikstroem May 10 '15 at 08:31
  • @rnevius I dont any frontend form. I was thinking of using this service directly on my iOS app to POST the data. Please correct me if my understanding is flawed. – tesla May 10 '15 at 12:55
  • @henrikstroem I got CSRF token and I used same in my POST header with X-CSRF-Token:. POST still gives 403. Any thoughts? – tesla May 11 '15 at 02:02
  • @tesla Try updating the code in your example. – henrikstroem May 11 '15 at 07:15
  • @henrikstroem Updated the code above. So after this change in the Chrome browser I can see the CSRF_Token. I copied that in my POST request from Advanced Rest API client chrome. But same result. – tesla May 11 '15 at 12:03
  • @tesla Try see the last code snippet in the section here: https://docs.djangoproject.com/en/1.8/ref/csrf/#ajax - they show how you should insert the token. – henrikstroem May 11 '15 at 17:51
  • @henrikstroem thank for your continuous response I appreciate that. As mentioned in my answer below, issue was the way I was inserting the token in my PUT. Actually, X-CSRF-Token, X-csrftoken, csrftoken didnt work howerver, X-CSRFTOKEN worked. – tesla May 12 '15 at 03:21

1 Answers1

1

Thank you for the response. I learnt following things about CSRF, Django and Chrome Advanced Rest API Client.

a. CSRF - Cross Site Request Forgery is way to protect malicious transaction specially POST, PUT, DELETE on the authenticated connection between client and the server.

b. Django allows GET with CSRF token but it fails for any POST, PUT or DELETE.

c. To obtain CSRF token in the response for GET one can use @ensure_csrf_cookie which will make sure response has CSRF token.

d. For POST from Chrome's Advanced REST Client, one has to use X-CSRFTOKEN and token obtained from the response of the GET command.

tesla
  • 51
  • 1
  • 8