Django API CSRF Issues - Need Help
119 views
Skip to first unread message
Chris Troutner
May 21, 2016, 1:36:15 AM5/21/16
to Django users
Hey all,
This is my first time posting to the group. I'm working with Bob Hagan on the Network Resource Planning (NRP) project. The platform runs on Django and he's been using the REST API app to open up ports to some of the pieces of the software. Right now we're working on an interface for creating new users, which requires the passing of a CSRF token for authentication. I'm having a heck of a time and we can't figure out if the issue is something set up on the server or on my front end code. I'm hoping that the issue might be obvious to someone here.
First of all, you can access the Django API code in the repository code here:
My front end code is written in JavaScript can be viewed in it's own repository here:
This video gives a visual overview of the user interface and the general issues I'm experiencing:
NRPUsersView.js is a Backbone.js View file. If that doesn't mean anything to you, that's OK. The important thing to notice is the three different ways I tried to access the API.
- I use JavaScript to fill out an HTML form. This is currently the only way that works at the moment.
- A typical AJAX POST submission
- A JavaScript Virtual Form using the FormData object.
Method 3 should be identical to method 1 as far as the server is concerned, but the HTTP headers are slightly different. Like I said, methods 2 and 3 are not working out. I've tweaked the code every which way and I always get a "403 FORBIDDEN Authentication credentials were not provided" message.
According to this Django documentation, there are three possible locations to put the CSRF token:
- In the document.cookie
- In the HTTP header preceded by "X-CSRFToken"
- And a hidden input field in the form
I've tried every combination of the three options for passing the CSRF token and haven't had any luck.
Has anyone had experience implementing this type of API authentication with Django before? Any help you can provide would be appreciated.
Daniel Roseman
May 21, 2016, 9:16:17 AM5/21/16
to Django users
There's something a bit confused here. CSRF is not for authentication, and has nothing to do with it at all; it's a method of preventing a certain class of hack that would permit an attacker to hijack a user's session credentials. It really can't be used to authenticate a user for your API; there are plenty of other token-based ways of doing this.
--
DR.
Chris Troutner
May 21, 2016, 2:09:04 PM5/21/16
to Django users
Yes, you're right that there is something confusing going on. I confess I don't know much about CSRF or authentication or Django. Because of that, I'm sure I presented it in a confusing way. That's all Bob's side of the stuff.
I'm just trying to get my front end JavaScript to interact with the Django server side API and the key to doing that is to pass in the CSRF token in a way that makes Django happy. So far, I haven't figured out how to do that.
-Chris
François Schiettecatte
May 21, 2016, 2:30:58 PM5/21/16
to django...@googlegroups.com
Is this what you are looking for:
https://docs.djangoproject.com/en/1.9/ref/csrf/
François
> --
> You received this message because you are subscribed to the Google Groups "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
> To post to this group, send email to django...@googlegroups.com.
> Visit this group at https://groups.google.com/group/django-users.
> To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/1c7788e8-1567-4dcd-9cac-24a518ab7efa%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
https://docs.djangoproject.com/en/1.9/ref/csrf/
François
> You received this message because you are subscribed to the Google Groups "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
> To post to this group, send email to django...@googlegroups.com.
> Visit this group at https://groups.google.com/group/django-users.
> To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/1c7788e8-1567-4dcd-9cac-24a518ab7efa%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Chris Troutner
May 21, 2016, 2:39:03 PM5/21/16
to Django users
I linked to that page in the original posting. That page describes what we're trying to do, but there seems to be a disconnect between what is specified and what is actually happening. As near as I can tell, I have satisfied the CSRF requirements documented on that page, but I still can't seem to get anything other than a 403 error.
bobhaugen
May 21, 2016, 3:25:06 PM5/21/16
to Django users
Chris, I understood you were logged into the django system when you tried these posts. Correct? I thought that would cover authentication thru DRF. But I am also a noob to Javascript client post -> DRF server.
Chris Troutner
May 21, 2016, 3:31:51 PM5/21/16
to django...@googlegroups.com
I was logged in yes, but I also noticed that when I tried to get the cookie from the CMS side, it would retrieve a different CSRF token, as though I wasn't logged in. Hence the copy and paste I showed in the video.
I'm trying to get this cookie plugin integrated into my code. Maybe it will have better luck at retrieving the CSRF token for my logged in user.
On Sat, May 21, 2016 at 8:25 AM, bobhaugen <bob.h...@gmail.com> wrote:
Chris, I understood you were logged into the django system when you tried these posts. Correct? I thought that would cover authentication thru DRF. But I am also a noob to Javascript client post -> DRF server.
--
You received this message because you are subscribed to a topic in the Google Groups "Django users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/django-users/7FkB_HE446I/unsubscribe.
To unsubscribe from this group and all its topics, send an email to django-users...@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/aba6b122-5eff-4e67-8237-37ab5df90f69%40googlegroups.com.
Chris Troutner
May 21, 2016, 3:55:27 PM5/21/16
to django...@googlegroups.com
Yep, no luck. I got the cookie plugin integrated, but it didn't make any difference. The problem isn't with the retrieval of the CSRF token, it's with the submission.
If you bring up this code:
And scroll down to the approveUser function, you can see a section marked in comments labeled VIRTUAL FORM. I'm doing to same xhr.setRequestHeader('X-CSRFToken', csrftoken); instruction in Francois' example. The POST submission still results in a 403 Forbidden error.
Michal Petrucha
May 21, 2016, 4:05:06 PM5/21/16
to django...@googlegroups.com
On Sat, May 21, 2016 at 08:55:04AM -0700, Chris Troutner wrote:
> Yep, no luck. I got the cookie plugin integrated, but it didn't make any
> difference. The problem isn't with the *retrieval* of the CSRF token, it's
> Yep, no luck. I got the cookie plugin integrated, but it didn't make any
> with the *submission*.
>
> If you bring up this code:
> https://github.com/christroutner/rpiovn/blob/unstable/public/js/app/views/NRPUsersView.js
>
> And scroll down to the approveUser function, you can see a section marked
> in comments labeled VIRTUAL FORM. I'm doing to same
> xhr.setRequestHeader('X-CSRFToken',
> csrftoken); instruction in Francois' example. The POST submission still
> results in a 403 Forbidden error.
Hi Chris,
> If you bring up this code:
> https://github.com/christroutner/rpiovn/blob/unstable/public/js/app/views/NRPUsersView.js
>
> And scroll down to the approveUser function, you can see a section marked
> in comments labeled VIRTUAL FORM. I'm doing to same
> xhr.setRequestHeader('X-CSRFToken',
> csrftoken); instruction in Francois' example. The POST submission still
> results in a 403 Forbidden error.
Could you perhaps post the full error message you receive with the 403
error? The one you posted in the initial post seems to indicate it's
not a CSRF error at all...
On Fri, May 20, 2016 at 06:34:42PM -0700, Chris Troutner wrote:
> I've tweaked the code every which way and I always get
> a "403 FORBIDDEN Authentication credentials were not provided" message.
token, session cookie, or whatever other method your API uses for user
authentication. In case of a CSRF error, you'd get something like one
of the following:
REASON_NO_CSRF_COOKIE = "CSRF cookie not set."
REASON_BAD_TOKEN = "CSRF token missing or incorrect."
Good luck,
Michal
Chris Troutner
May 21, 2016, 4:44:24 PM5/21/16
to django...@googlegroups.com, Bob Haugen
That's really interesting. Hmm...
Thanks for the feedback.
--
You received this message because you are subscribed to a topic in the Google Groups "Django users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/django-users/7FkB_HE446I/unsubscribe.
To unsubscribe from this group and all its topics, send an email to django-users...@googlegroups.com.
To post to this group, send email to django...@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/20160521160339.GM24966%40koniiiik.org.
Neeraj Gahlot
Jun 1, 2016, 1:30:31 PM6/1/16
to Django users
Hi Chris,
You will have to pass csrf token in http request header while making request using AJAX
This can be done by adding following prior to your ajax request.
var csrftoken = $.cookie('csrftoken');
$.ajaxSetup({
headers: { "X-CSRFToken": csrftoken }
});
Reply all
Reply to author
Forward
0 new messages