cURL or wget with contrib.auth and CSRF
702 views
Skip to first unread message
David
Apr 14, 2011, 7:32:46 AM4/14/11
to Django users
Hello,
I am sorry for asking this, I know similar questions have been asked
before but I could not piece together the answer I needed from
previous contribution!
I have a view, for example:
@login_required
def clever_view(request):
#Render a PDF to a string
response = HttpResponse(content_type='application/pdf')
response.write(pdf_as_string)
return response
Now, in a browser, if I request http://my.host.name/clever_view.pdf I
get sent to the log in page, I log in, and I get my file. If I don't
log out I can later on request http://my.host.name/clever_view.pdf and
I get the file strait away. The browser handles the session and csrf
cookies perfectly.
For clarity, the login requires POST inputs 'username', 'password' and
the submit button is called 'submit'.
Now a client wants to use wget or curl to get the file:
wget http://my.host.name/clever_view.pdf
However, all I get are 403 even when I POST the username and password,
save the cookies and keep the session cookies.
So in short, how do I access a view when session and csrftoken cookies
are required.
If someone could show me an example of using curl or wget to access a
view that is not wrapped with @csrf_exempt but is wrapped with
@login_required I would be very grateful indeed.
Thanks in advance
Dave
I am sorry for asking this, I know similar questions have been asked
before but I could not piece together the answer I needed from
previous contribution!
I have a view, for example:
@login_required
def clever_view(request):
#Render a PDF to a string
response = HttpResponse(content_type='application/pdf')
response.write(pdf_as_string)
return response
Now, in a browser, if I request http://my.host.name/clever_view.pdf I
get sent to the log in page, I log in, and I get my file. If I don't
log out I can later on request http://my.host.name/clever_view.pdf and
I get the file strait away. The browser handles the session and csrf
cookies perfectly.
For clarity, the login requires POST inputs 'username', 'password' and
the submit button is called 'submit'.
Now a client wants to use wget or curl to get the file:
wget http://my.host.name/clever_view.pdf
However, all I get are 403 even when I POST the username and password,
save the cookies and keep the session cookies.
So in short, how do I access a view when session and csrftoken cookies
are required.
If someone could show me an example of using curl or wget to access a
view that is not wrapped with @csrf_exempt but is wrapped with
@login_required I would be very grateful indeed.
Thanks in advance
Dave
Shawn Milochik
Apr 14, 2011, 12:16:48 PM4/14/11
to django...@googlegroups.com
This isn't a Django question.
Check out the man pages for curl and wget -- both have the ability to
GET & POST and retain cookie data for future requests. You shouldn't
have to change anything in Django.
Kevin Trainor
Dec 4, 2014, 11:27:43 AM12/4/14
to django...@googlegroups.com, djspo...@googlemail.com
David,
I realize this was a long time ago, wondering if you ever got it working.
I'm battling the same dragon currently.
Step 1: seems to work
wget --save-cookies c:\cifs\cookies.txt --keep-session-cookies --no-check-certificate --http-user=myuser --http-password=mypass https://www.pdfstore.com/
which will save the session cookie allowing you to perform a second wget using the saved cookies
Step 2: Is where I'm getting an error "Error 400 not-valid csrf token"
wget --load-cookies c:\cifs\cookies.txt --no-check-certificate --no-parent --recursive https://www.pdfstore.com/pdfvault/?T&csrfToken=null
I'm inclined to think that wget cannot save csrf tokens in the same way it can session cookies. Wondering if you ever found a way out of this dragons den?
Not sure if it makes a diff but im running on windows7 going through a bluecoat proxy on the way out so using Unixutils as it allows me to set the proxy config.
Thanks,
Kevin
I realize this was a long time ago, wondering if you ever got it working.
I'm battling the same dragon currently.
Step 1: seems to work
wget --save-cookies c:\cifs\cookies.txt --keep-session-cookies --no-check-certificate --http-user=myuser --http-password=mypass https://www.pdfstore.com/
which will save the session cookie allowing you to perform a second wget using the saved cookies
Step 2: Is where I'm getting an error "Error 400 not-valid csrf token"
wget --load-cookies c:\cifs\cookies.txt --no-check-certificate --no-parent --recursive https://www.pdfstore.com/pdfvault/?T&csrfToken=null
I'm inclined to think that wget cannot save csrf tokens in the same way it can session cookies. Wondering if you ever found a way out of this dragons den?
Not sure if it makes a diff but im running on windows7 going through a bluecoat proxy on the way out so using Unixutils as it allows me to set the proxy config.
Thanks,
Kevin
Collin Anderson
Dec 5, 2014, 9:01:39 AM12/5/14
to django...@googlegroups.com, djspo...@googlemail.com
Hi David,
Collin
Reply all
Reply to author
Forward
0 new messages