Re: DjangoAuthorization() and HTTP/1.0 401 UNAUTHORIZED

[B]

If you're using Django Guardian, maybe you should look at the Permissions of the owner of the API Key you're using. Just to check that this is actually the source of the problem, try to give your user Superuser privileges from the admin and try again. 

On Wednesday, February 13, 2013 9:37:52 PM UTC+2, mspreitz wrote:

When trying to POST data to my tastypie api, I always get error code 401, even when using the Django admin account for authentication and authorization. My Django server is running as development server through "python manage.py runserver IP"

I'm using the latest master-branch of tastypie and Django 1.4.3

here are parts of my api.py

------------------------------------------------------------

class QueueResource(ModelResource):

    class Meta:

        queryset = Queue.objects.all()

        resource_name = 'queue'

        authentication = ApiKeyAuthentication()

        authorization = DjangoAuthorization()

        allowed_methods = ['get','patch','put','post']

    def prepend_urls(self):

        return [url(r"^(?P<resource_name>%s)/fail%s$" % (self._meta.resource_name, trailing_slash()), self.wrap_view('fail'), name="bot_api_fail"),]

    def fail(self, request, **kwargs):

        queueId = request.POST('qid')

        errorMessage = request.POST('msg')

------------------------------------------------------------------------

my curl command:

------------------------------------------------------------------------

curl --dump-header - -H "Authorization ApiKey USER:KEY" -H "Content-Type: application/json" -X POST --data '{"qid": "4", "msg": "An error occured!"}' http://IP/api/fail/

------------------------------------------------------------------------

the corresponding error message:

------------------------------------------------------------------------

HTTP/1.0 401 UNAUTHORIZED

Date: Wed, 13 Feb 2013 19:16:00 GMT

Server: WSGIServer/0.1 Python/2.7.3

X-Frame-Options: SAMEORIGIN

Content-Type: text/html; charset=utf-8

------------------------------------------------------------------------

Does anyone of you has an idea why I'm getting this error code?

[Greg McGuire]

Keep reading the rest of that method's source, and you'll see that POSTs (as well as other data-modifying requests) ARE supported, they just require additional checks to be allowed.  One of which is the presence of a valid CSRF token as Mr. Klasson describes.

https://github.com/toastdriven/django-tastypie/blob/master/tastypie/authentication.py#L251-272

Best,

Greg

And guess what I found, tastypie doesn't support HTTP POST on SessionAuthentication

[Pratik Mandrekar]

Just to clarify, the problem has been mentioned in the comment. This is the ticket pointing to the exact issue https://github.com/toastdriven/django-tastypie/issues/825#issuecomment-14852377. POST still doesn't work with SessionAuthentication even when you include the csrf token i the header.

As a workaround I am using https://github.com/amezcua/TastyPie-DjangoCookie-Auth/blob/master/DjangoCookieAuth.py for now.

Pratik Mandrekar

--
You received this message because you are subscribed to a topic in the Google Groups "Tastypie" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/django-tastypie/BoU5tsQZWOo/unsubscribe?hl=en-US.
To unsubscribe from this group and all its topics, send an email to django-tastyp...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Greg McGuire]

I am using SessionAuthentication and POST/PUT with tastypie's master branch right now without issue.

Are you certain you have the CSRF token correct?  If you can I'd suggest running in a debugger, or barring that add in some debug logging to SessionAuthentication.is_authenticated to see where your authentication is failing.

I think the problem mentioned in issue 825 is different, even though the symptom (an HTTP 401) is the same.  What Authorization class are you using?

Best,

Greg

[Pratik Mandrekar]

Thanks for the help. I haven't tried the master branch yet, just the latest on pypi. The CSRF token is correct but could you possibly share your client side code or an equivalent curl request so that I can check that my headers and everything are following the correct syntax?

I have tried different variants of

curl -b cookies.txt -H "Content-Type: application/json; Cookie: csrftoken=qaL5GolVstzsXeZ9BDVK7eXkomLZQLTu;" -d "{\"csrfmiddlewaretoken\":\"qaL5GolVstzsXeZ9BDVK7eXkomLZQLTu\",\"data\": \"Update From API\"}" --verbose http://localhost:8000/api/v1/<myresource>/

It works when authentication is anything else apart from SessionAuthentication. I'm using DjangoAuthorization but have tried with the no-op Authorization as well.

Pratik

[Pratik Mandrekar]

I pulled the latest from tastypie on github. Still same issue.

[Greg McGuire]

I'd suggest reading the Django docs first:

https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#ajax

But in your curl example you'll want to add 

-H "X-CSRFToken: qaL5GolVstzsXeZ9BDVK7eXkomLZQLTu"

The token is not sent as part of your json data, it needs to be an HTTP header.

Best,

Greg

[Pratik Mandrekar]

Thanks. That indeed work. I had read the docs and was trying HTTP-X-CSRFToken. Should have been more careful since this is not a standard HTTP header. Thanks again!

Pratik

[Aaron Croyle]

Thanks this thread helped me find that I needed to add a header to the request, but why doesn't passing the CSRF token in the cookies work?

--Aaron

[Greg McGuire]

Aaron -

You should also read

https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Double_Submit_Cookies

and

https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#how-it-works

Django's CSRF protection technique requires identical tokens in both a cookie and a form POST or HTTP header.  Since tastypie can't peek at the POST data without fouling up the deserialization, you are left with using the cookie + HTTP header.

Best,

Greg