Run django api from postman: CSRF verification failed

Question

I'm trying to run an api using postman. My application is developed in django 1.11.6 using python 3.5.

My app is installed on an ubuntu server. I have no login mechanism to create a csrf token.

These are the steps that I follow:

Click on "import" tab on the upper left side.
Select the Raw Text option and paste my cURL command.
Hit import and I have the command in your Postman builder
Press send button.

My curl command is:

curl -i -H 'Accept: application/json; indent=4' -X POST  https://127.0.0.1/users/:register/ -d "id=111&firstname=zinonas&yearofbirth=2007&lastname=Antoniou&othernames="

The error I get is Forbidden (403) - CSRF verification failed. Request aborted.

When I run the curl command via cygwin, it's working properly.

This is the view function that I'm using:

class ApiUserRegister(APIView):
    permission_classes = ()
    serializer_class = RegisterUserSerializer

    def post(self, request):
        serializer = RegisterUserSerializer(data=request.data)
        # Check format and unique constraint
        serializer.is_valid(raise_exception=True)
        data = serializer.data

        if User.objects.filter(id=data['id']).exists():
            user = User.objects.get(id=data['id'])
            is_new = "false"
            resp_status = status.HTTP_200_OK
        else:
            user = User.objects.create(id=data['id'],
                                       firstname=data['firstname'],
                                       yearofbirth=data['yearofbirth'],
                                       lastname=data['lastname'],
                                       othernames=data['othernames'])
            user.save()
            is_new = "true"
            resp_status = status.HTTP_201_CREATED
        resp = {"user": serializer.get_serialized(user),
                "isnew": is_new}
        return Response(resp, status=resp_status)

In settings.py I have:

REST_FRAMEWORK = {
    'DEFAULT_PERMISSION_CLASSES': (
        'rest_framework.permissions.IsAuthenticated',
    ),
    'DEFAULT_AUTHENTICATION_CLASSES': (
        'rest_framework.authentication.SessionAuthentication',
        'rest_framework.authentication.TokenAuthentication',
        'rest_framework_jwt.authentication.JSONWebTokenAuthentication',
    )
}

@mohammedqudah It's a view to register a new user. I've added it to my question. — zinon, Oct 25 '17 at 07:22
In your curl command, your url does not look good as it contains `:`. — aquaman, Oct 25 '17 at 08:03
Also if you are requesting `https` you should use something like `curl -k ...` — aquaman, Oct 25 '17 at 08:07
is it remote api or you have access to settings file of api ? — Andriy Ivaneyko, Oct 25 '17 at 13:28
It's located in a server but I do have access to `settings.py` file. — zinon, Oct 25 '17 at 13:31

score 8 · Answer 1 · answered Oct 25 '17 at 12:15

8

Try this.

from django.views.decorators.csrf import csrf_exempt
class ApiUserRegister(APIView):
permission_classes = ()
serializer_class = RegisterUserSerializer

    @csrf_exempt
    def post(self, request):
        serializer = RegisterUserSerializer(data=request.data)

answered Oct 25 '17 at 12:15

SUP

349
1
2
11

Refer this. https://stackoverflow.com/questions/12174040/forbidden-403-csrf-verification-failed-request-aborted – SUP Oct 27 '17 at 07:34
I'm not using any template. – zinon Oct 27 '17 at 07:38

LennyLip · Answer 2 · 2018-11-21T06:12:19.610

6

To make AJAX requests, you need to include CSRF token in the HTTP header, as described in the Django documentation.

1st option

2nd option

edited Nov 21 '18 at 06:12

answered Oct 25 '17 at 07:32

LennyLip

1,683
19
19

I'm not using `jQuery`. I created an API to using via `android' app. – zinon Oct 25 '17 at 07:51
Can you please give me an example? – zinon Oct 25 '17 at 08:03
1. get csrftoken cookie with safe GET query (view can use ensure_csrf_cookie decorator) 2. use csrftoken in new POST query – LennyLip Oct 25 '17 at 08:06
1

The answer does not address Postman, which is a key part of the question. – Brian H. Nov 20 '18 at 18:26
This is about rest API. So, why bother about CSRF token? – Mohammed Shareef C Dec 24 '18 at 07:18
@MohammedShareefC yes, for android app we don't need CSRF, but https://security.stackexchange.com/questions/166724/should-i-use-csrf-protection-on-rest-api-endpoints – LennyLip Dec 24 '18 at 08:31

score 1 · Answer 3 · answered Nov 28 '21 at 19:15

1

simple just make sure to put as_view()

urlpatterns = [
    path('sign_up', views.SignUp.as_view()),
]

answered Nov 28 '21 at 19:15

Ahmed Safadi

4,402
37
33

score 1 · Answer 4 · answered Jul 04 '22 at 08:32

1

from django.views.decorators.csrf import csrf_exempt
from django.views.decorators.csrf import csrf_protect

@csrf_protect
@csrf_exempt
def home(request):

Add "@csrf_protect, @csrf_exempt" Before the method

answered Jul 04 '22 at 08:32

Jagdishwar

21
3

mohammedgqudah · Answer 5 · 2017-10-25T07:55:15.160

0

update your class to be like this

from braces.views import CsrfExemptMixin
class your_class(CsrfExemptMixin, ......yours_here)
   def post(...):
       [....]

this will tell django to allow requests without csrf

edited Oct 25 '17 at 07:55

answered Oct 25 '17 at 07:30

mohammedgqudah

568
4
15

Using this I get `name 'csrf_exempt' is not defined` error. – zinon Oct 25 '17 at 07:35
I get error `'function' object has no attribute 'as_view'`.In `urls.py` I have this line: `url(r':register/$', views.ApiUserRegister.as_view(), name='register-user')` – zinon Oct 25 '17 at 07:41
No I get the error `The keyword argument "name" must be the name of a method of the decorated class: . Got '' instead` – zinon Oct 25 '17 at 07:46
Unfortunately, no. I set `@method_decorator(csrf_exempt, name="post")` and now I get once again `Forbidden (403) CSRF verification failed. Request aborted.` – zinon Oct 25 '17 at 07:50
Is `braces` a module that I can install using `pip3`? – zinon Oct 25 '17 at 07:56
pip install django-braces – mohammedgqudah Oct 25 '17 at 07:57
Still no luck `CSRF verification failed. Request aborted.` – zinon Oct 25 '17 at 08:00
csrfExpemntMixin should be the first then ApiView – mohammedgqudah Oct 25 '17 at 08:01
Yes, that's what I did. – zinon Oct 25 '17 at 08:02
try adding *authentication_classes = []* to the class – mohammedgqudah Oct 25 '17 at 08:04

score 0 · Answer 6 · answered Apr 22 '20 at 04:04

Django sets csrftoken cookie on login. After logging in, we can see the csrf token from cookies in the Postman. (see image) CSRFtoken from cookies

We can grab this token and set it in headers manually. But this token has to be manually changed when it expires. This process becomes tedious to do it on an expiration basis.

Instead, we can use Postman scripting feature to extract the token from the cookie and set it to an environment variable. In Test section of the postman, add these lines.

var xsrfCookie = postman.getResponseCookie("csrftoken"); postman.setEnvironmentVariable('csrftoken', xsrfCookie.value);

This extracts csrf token and sets it to an environment variable called csrftoken in the current environment. Now in our requests, we can use this variable to set the header.(see image) Set {{csrftoken}} in your header

When the token expires, we just need to log in again and csrf token gets updated automatically.

Thanks to @chillaranand from hackernoon.com to original post

score -1 · Answer 7 · answered Dec 10 '18 at 10:38

-1

In urls file, try this:

urlpatterns = [
    url(r'^your_uri/', views.YourView.as_view()),
]

this will tell django to allow requests without csrf

answered Dec 10 '18 at 10:38

TrungVK

222
2
3

Run django api from postman: CSRF verification failed

7 Answers7

Linked