Django comments CSRF error

Question

Getting a csrf error I cant figure out how to fix, i have rest auth working, user is able to update their details like so:

but with Django Comments i get this csrf error using the same csrf token Error:

I would like to get rid of this error on the /comments/post/ endpoint, such that this endpoint behaves similar to /rest-auth/user/ view which accepts an "Authorization: Token 792b5fb27b4fe805e895c91274f26b6ab13cb654" header field to relevant provide data to the authenticated user.

The following is an exert of the csrf related decotaros on the respective views shown in the screen shots: From the /comments/post/ endpoint

@csrf_protect
@require_POST
def post_comment(request, next=None, using=None):
    # Fill out some initial data fields from an authenticated user, if present
    data = request.POST.copy()
    if request.user.is_authenticated():
        if not data.get('name', ''):
            data["name"] = request.user.get_full_name() or request.user.get_username()
        if not data.get('email', ''):
            data["email"] = request.user.email

From the /rest-auth/user/ endpoint

@api_view(['GET'])
@permission_classes((IsAuthenticated, ))
def get_user(request, **kwargs):
    pk = request.data['pk']

    user = MyUser.objects.get(pk=pk)
    serializers = UsersSerializer(user)
    return Response(serializers.data)

score 2 · Answer 1 · answered Dec 15 '15 at 09:15

2

You're using the wrong content type. Please change it into application/json and try again.

answered Dec 15 '15 at 09:15

mariodev

13,928
3
49
61

Tried again using application/json still getting the same error: https://dl.dropboxusercontent.com/spa/mcc9m7zsju2myar/s_d20nvj.png – Anon957 Dec 15 '15 at 09:20
I have also tried toggling off the Referrer and Origin fields, still getting the error – Anon957 Dec 15 '15 at 09:22
Ok Try cleaning up cookies or use postman in incognito or smth. You can also try turning off renderers, leaving only json one. – mariodev Dec 15 '15 at 09:34
Tried that (clearing cookies) too, no luck: https://dl.dropboxusercontent.com/spa/mcc9m7zsju2myar/cfp9lks3.png I tried doing this in an external client like Paw to avoid anything wrong with cookies from Chrome https://dl.dropboxusercontent.com/spa/mcc9m7zsju2myar/fxvtdwrp.png getting the same error. – Anon957 Dec 15 '15 at 10:24

score 1 · Answer 2 · answered Dec 15 '15 at 09:36

1

I think you are using django-rest-framework which comes with the csfr token exempt by default, but postman is sending a csfr token that is why you are getting that error.

cleaning the cookies might solve the problem.

answered Dec 15 '15 at 09:36

Fede Scuoteguazza

73
6

Clearing cookies did not help, tried the same thing using Paw (another client for REST OSX) getting the same error: https://dl.dropboxusercontent.com/spa/mcc9m7zsju2myar/fxvtdwrp.png – Anon957 Dec 15 '15 at 10:26
This is what the /comments/post/ url points to https://dl.dropboxusercontent.com/spa/mcc9m7zsju2myar/j-m31w9k.png I is my first project using these frameworks but it does look like it use csrf protect, not sure how this is different from csfr exempt. – Anon957 Dec 15 '15 at 10:29
1

It uses csrf_protect decorator (https://docs.djangoproject.com/en/1.6/ref/contrib/csrf/#django.views.decorators.csrf.csrf_protect), that means the client requires to have a csrf token to use the service. If you use csfr_exempt decorator (https://docs.djangoproject.com/en/1.6/ref/contrib/csrf/#django.views.decorators.csrf.csrf_exempt) It will not require the token to use the service, try adding the decorator and It should work. The CSRF is there for a reason though, you can read more about it in https://docs.djangoproject.com/en/1.6/ref/contrib/csrf/#module-django.middleware.csrf – Fede Scuoteguazza Dec 15 '15 at 10:53
After I change csrf_protect to csrf_exempt it does not throw the error, but is this a correct thing to do? The Comments.py file I edited is a file from the framework it self, am I right in assuming these files should not be edited (as they are correctly overridden otherwise by your project files)? – Anon957 Dec 15 '15 at 11:07
1

I didn't noticed it was the django comments file. Yes you shouldn't change that file. You will need to pass the CSRF token in as POST data with every POST request. In the django docs there is an example on how to do it (https://docs.djangoproject.com/en/1.7/ref/contrib/csrf/#ajax) – Fede Scuoteguazza Dec 15 '15 at 11:19
"pass the CSRF token in as POST data with every POST request " isn't that what I am doing in this pic for example (https://dl.dropboxusercontent.com/spa/mcc9m7zsju2myar/fxvtdwrp.png)? Is it possible Django comments does not know about the right tokens in my project(comments are in a separate app from users which contains the tokens and userdetails but I assume django can figure all of this out from the settings file where we have authUserModel and CommentsModel specfied)? – Anon957 Dec 15 '15 at 11:39
1

I'm not really sure what you are sending in that authorization header, probably It's the authorization for loggin the user in . for the CSRF you have to set a custom X-CSRFToken header to the value of the CSRF token. It is detailed in the documentation I linked before. – Fede Scuoteguazza Dec 15 '15 at 12:14

score 1 · Accepted Answer · answered Dec 15 '15 at 14:48

The decorators for your endpoints are different, thus you need to adjust the headers accordingly. For your /rest-auth/ view the WWW-Authenticate header is required as mentioned here.

The comments view /comments/ endpoint has the csrf_protect decorators which means that the header must match the csrf-token returned in the cookie,as Fede mentions in your header you only require 'X-CSRFToken' with the matching value from the cookie.

Django comments CSRF error

3 Answers3