How do I disable csrf check when using Token Authentication?

4,301 views
Skip to first unread message

adelein rodriguez

unread,
Sep 8, 2013, 5:26:03 PM9/8/13
to django-res...@googlegroups.com
Hi all,

I cant figure out how to disable csrf completely when using Token Authentication. 

I have tried different variations to disable it like this:

@api_view(['POST'])
@method_decorator(csrf_exempt)
def login(request):

...


The csrf middleware is disabled in my settings.py 

MIDDLEWARE_CLASSES = (
    #'django.contrib.sessions.middleware.SessionMiddleware',
    #'django.middleware.csrf.CsrfViewMiddleware',
    #'django.contrib.auth.middleware.AuthenticationMiddleware',
    #'django.contrib.messages.middleware.MessageMiddleware',
    'corsheaders.middleware.CorsMiddleware',
    'devao_boilerplate_api.lib.middleware.security.SecurityMiddleware'
)

Any ideas?

Thanks a million

~Adelein

Tom Christie

unread,
Sep 9, 2013, 3:53:58 AM9/9/13
to django-res...@googlegroups.com
You won't need to. The CSRF checks will only run for session authenticated users.


--
You received this message because you are subscribed to the Google Groups "Django REST framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-rest-fram...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

adelein rodriguez

unread,
Sep 9, 2013, 9:49:01 PM9/9/13
to django-res...@googlegroups.com
Hi Tom,

I see that TokenAuthentication.authenticate doesnt use the CSRF, but I think my code is going through a different path, it is not calling the authenticate of TokenAuthentication I checked.

However this is my settings.py :

REST_FRAMEWORK = {
    'DEFAULT_AUTHENTICATION_CLASSES': (
        'rest_framework.authentication.TokenAuthentication',
    )
}

MIDDLEWARE_CLASSES = (
    'corsheaders.middleware.CorsMiddleware',
    'devao_boilerplate_api.lib.middleware.security.SecurityMiddleware'
)

I see my code is going through def process_view in csrf.py, so somehow the csrf middleware is still kicking in. 

I am using url(r'^api-token-auth/', 'rest_framework.authtoken.views.obtain_auth_token')


Do you know of any case where the csrf would kick in anyways?

Thanks,

Adelein


To unsubscribe from this group and stop receiving emails from it, send an email to django-rest-framework+unsub...@googlegroups.com.

adelein rodriguez

unread,
Sep 9, 2013, 10:01:56 PM9/9/13
to django-res...@googlegroups.com
I figured it out, it was my bad in the client side (JS), it was sending the wrong headers. Thanks a lot.
Reply all
Reply to author
Forward
0 new messages