一个人如何忽略发送到Django的REST框架CSRF令牌? [英] How does one ignore CSRF tokens sent to Django REST Framework?
问题描述
我有利用智威汤逊身份验证的单页angularjs应用。由于JWTs与每一个请求发送,这似乎是多余的,我的形式使用CSRF令牌。为了禁用CSRF检查,我在settings.py中间件类注释掉django.middleware.csrf.CsrfViewMiddleware。这一切工作正常。
然而,当我使用Django管理面板,使用CSRF。这似乎是合理的,因为JWTs不保护管理页面。
当我登录到管理员,一个cookie设置包含CSRF令牌。当我尝试发布,同时登录到Admin会话从我angularjs应用程序REST端点,请求包含CSRF cookie,并且Django的REST后端拒绝了403的地位POST。如果我删除从我的浏览器设置并重新发布该cookie,它通过符合市场预期。
我无法配置我的应用程序设置CSRF饼干,但如何配置我的应用程序忽略CSRF的cookie,如果它是在同一个域设置另一个应用程序?我不能保证令牌不会被其他人,因为我不控制所有将在域中运行的应用程序的一些设置。
我使用的延长Django的REST框架viewsets基于类的意见。我试图通过装饰我的班,csrf_exempt来解决这个问题,但是这似乎并没有工作(仍然得到403响应)。我可能是做错了,或者是有,我错过了一些其他的解决办法?
下面是我的企图csrf_exempt:
类为accountList(generics.ListCreateAPIView):
serializer_class = serializers.AccountSerializer 高清get_queryset(个体经营):
返回models.Account.objects.all() @method_decorator(csrf_exempt)
高清讯(自我,* ARGS,** kwargs):
返回超(为accountList,个体经营).dispatch(* ARGS,** kwargs)
这听起来像你有 SessionAuthentication 启用,这是强制执行CSRF Django的REST框架的一部分基于Cookie的身份验证。由于使用的是智威汤逊,和你提到的所有页面使用智威汤逊进行身份验证,你应该能够只是从你的默认的认证类的列表中删除 SessionAuthentication 。
如果你真的需要它,你可以将它移动到缺省类的底部。因为它是检测的身份验证cookie和验证是成功的, SessionAuthentication 将失败,智威汤逊被选中了。
I have a single page angularjs application utilizing JWT authentication. Because JWTs are sent with every single request, it seems redundant to use CSRF tokens in my forms. In order to disable CSRF checking, I commented out 'django.middleware.csrf.CsrfViewMiddleware' in my settings.py middleware classes. This all works fine.
However, when I use the Django Admin panel, CSRF is used. This seems reasonable since JWTs don't protect the Admin pages.
When I log into Admin, a cookie is set containing the CSRF token. When I try to POST to REST endpoints from my angularjs app while logged into an Admin session, the requests contain the CSRF cookie, and the Django REST backend rejects the POST with a 403 status. If I delete the cookie from my browser settings and re-POST, it goes through as expected.
I can configure my app not to set CSRF cookies, but how do I configure my app to ignore the CSRF cookie if it was set by another app on the same domain? I can't guarantee that a token won't be set by something else as I don't control all of the apps that will be running on the domain.
I am using class-based views that extend viewsets in the Django REST Framework. I attempted to address this by decorating my classes with csrf_exempt, but this did not seem to work (still get 403 response). Could I be doing it wrong, or is there some other solution that I am missing?
Here is my attempt at csrf_exempt:
class AccountList(generics.ListCreateAPIView):
serializer_class = serializers.AccountSerializer
def get_queryset(self):
return models.Account.objects.all()
@method_decorator(csrf_exempt)
def dispatch(self, *args, **kwargs):
return super(AccountList, self).dispatch(*args, **kwargs)
It sounds like you have SessionAuthentication enabled, which is the part of Django REST Framework that enforces CSRF for cookie-based authentication. Since you are using JWT, and you mentioned that all pages use JWT for authentication, you should be able to just remove SessionAuthentication from your list of default authentication classes.
If you actually need it, you can just move it to the bottom of the default classes. Because it is detecting the authentication cookies, and authentication was successful, SessionAuthentication will fail before JWT is checked.
这篇关于一个人如何忽略发送到Django的REST框架CSRF令牌?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
