CSRF Middleware and Piston

86 views
Skip to first unread message

Samuel Baldwin

unread,
Jul 29, 2010, 6:00:44 PM7/29/10
to django...@googlegroups.com
Howdy. I'm trying to work on a django app with piston, and I have the
csrf middleware enabled, since it's useful for working with non-API
things. However, this causes issues when I try to authenticate with
OAuth, as my token/authorization requests are shot down by the CSRF
middleware, citing 'No CSRF or session cookie.' as the reason why I
get a 403. The full returned error is here: http://pastebin.se/201760

I've google around a bit and it seems like similar problems have been
encountered, but the few purported fixes I've found have only yielded
the same error. When I disable the CSRF middleware in settings.py,
everything works perfectly fine.

I'm running piston tip (changeset: 276:dc0ee00d3bfc) with Django
1.2.1 and Python 2.6.5. Thanks!
--
Samuel Baldwin - logik.li

Rock

unread,
Jul 29, 2010, 7:51:46 PM7/29/10
to django-piston
If you use the standard auth and sessions apps from contrib with
Django 1.2 or later, then Django's CSRF mechanism can interfere with
attempts to POST or PUT to an API. The documented way to deal with
this is to decorate the view call with the "csrf_exempt" decorator,
but this approach is not always reliable.

The tested workaround that we recommend is to have the client add the
following HTTP header to all POST and PUT API calls:

-H "X-Requested-With:XMLHttpRequest"

Samuel Baldwin

unread,
Jul 29, 2010, 8:10:39 PM7/29/10
to django...@googlegroups.com
2010/7/29 Rock <rockm...@gmail.com>:

> attempts to POST or PUT to an API. The documented way to deal with
> this is to decorate the view call with the "csrf_exempt" decorator,
> but this approach is not always reliable.

See, this is the part that confuses me; what view call? Everything is
being handled in urls.py and handlers.py in my api/ directory. I'm a
newcomer to Django so I guess I must be missing something that goes on
under the hood.

> The tested workaround that we recommend is to have the client add the
> following HTTP header to all POST and PUT API calls:
>
> -H "X-Requested-With:XMLHttpRequest"

Roger that, thanks. What I've been doing is removing the middleware
and just using @csrf_protect decorators on the relevant non-API views,
but that has its issues as well.

Liam Kirsher

unread,
Jul 29, 2010, 8:18:42 PM7/29/10
to django...@googlegroups.com
I was also wondering about that.  I was trying to get the autodocumentation feature working and couldn't figure out what the syntax for the resource_uri() method should be.
The rest of it works.

    @staticmethod
    def resource_uri():
        return ('?????', ['id'])

Any hints?

Rock

unread,
Jul 29, 2010, 8:26:20 PM7/29/10
to django-piston
"What view call?"

Good question. In fact one I have asked myself. Alexander turned me on
to the __call__ function in the Resource model.

I have had luck inheriting from Resource and writing my own __call__()
that does some work for every API call and then calls super() to
complete the process. This might be the correct place to put code to
disable CSRF or to specify the csrf_exempt decorator, but since the
workaround that I mentioned earlier in this thread is working for me,
I haven't explored that option yet.
Reply all
Reply to author
Forward
0 new messages