Django Rest Framework 删除 csrf [英] Django Rest Framework remove csrf
问题描述
我知道有关于 Django Rest Framework 的答案,但我找不到解决我的问题的方法.
I know that there are answers regarding Django Rest Framework, but I couldn't find a solution to my problem.
我有一个具有身份验证和一些功能的应用程序.我向它添加了一个新应用程序,它使用 Django Rest Framework.我只想在这个应用程序中使用这个库.我也想发出 POST 请求,我总是收到这个响应:
I have an application which has authentication and some functionality. I added a new app to it, which uses Django Rest Framework. I want to use the library only in this app. Also I want to make POST request, and I always receive this response:
{
"detail": "CSRF Failed: CSRF token missing or incorrect."
}
我有以下代码:
# urls.py
from django.conf.urls import patterns, url
urlpatterns = patterns(
'api.views',
url(r'^object/$', views.Object.as_view()),
)
# views.py
from rest_framework.views import APIView
from rest_framework.response import Response
from django.views.decorators.csrf import csrf_exempt
class Object(APIView):
@csrf_exempt
def post(self, request, format=None):
return Response({'received data': request.data})
我想在不影响当前应用程序的情况下添加 API.所以我的问题是如何仅为此应用禁用 CSRF?
I want add the API without affecting the current application. So my questions is how can I disable CSRF only for this app ?
推荐答案
为什么会发生这个错误?
发生这种情况是因为 DRF 使用了默认的 SessionAuthentication 方案.DRF 的 SessionAuthentication 使用 Django 的会话框架进行身份验证,这需要检查 CSRF.
This is happening because of the default SessionAuthentication scheme used by DRF. DRF's SessionAuthentication uses Django's session framework for authentication which requires CSRF to be checked.
当您未在视图/视图集中定义任何 authentication_classes 时,DRF 使用此身份验证类作为默认值.
When you don't define any authentication_classes in your view/viewset, DRF uses this authentication classes as the default.
'DEFAULT_AUTHENTICATION_CLASSES'= (
'rest_framework.authentication.SessionAuthentication',
'rest_framework.authentication.BasicAuthentication'
),
由于 DRF 需要支持对相同视图的基于会话和非会话的身份验证,因此它仅对经过身份验证的用户强制执行 CSRF 检查.这意味着只有经过身份验证的请求才需要 CSRF 令牌,匿名请求可以在没有 CSRF 令牌的情况下发送.
Since DRF needs to support both session and non-session based authentication to the same views, it enforces CSRF check for only authenticated users. This means that only authenticated requests require CSRF tokens and anonymous requests may be sent without CSRF tokens.
如果您使用带有 SessionAuthentication 的 AJAX 样式 API,则需要为任何不安全"的 HTTP 方法调用包含有效的 CSRF 令牌,例如 PUT、PATCH、POST 或 DELETE请求.
If you're using an AJAX style API with SessionAuthentication, you'll need to include a valid CSRF token for any "unsafe" HTTP method calls, such as PUT, PATCH, POST or DELETE requests.
那怎么办?
现在要禁用 csrf 检查,您可以创建一个自定义身份验证类 CsrfExemptSessionAuthentication,它从默认的 SessionAuthentication 类扩展而来.在这个身份验证类中,我们将覆盖在实际 SessionAuthentication 中发生的 enforce_csrf() 检查.
Now to disable csrf check, you can create a custom authentication class CsrfExemptSessionAuthentication which extends from the default SessionAuthentication class. In this authentication class, we will override the enforce_csrf() check which was happening inside the actual SessionAuthentication.
from rest_framework.authentication import SessionAuthentication, BasicAuthentication
class CsrfExemptSessionAuthentication(SessionAuthentication):
def enforce_csrf(self, request):
return # To not perform the csrf check previously happening
在您看来,您可以将 authentication_classes 定义为:
In your view, then you can define the authentication_classes to be:
authentication_classes = (CsrfExemptSessionAuthentication, BasicAuthentication)
这应该处理 csrf 错误.
This should handle the csrf error.
这篇关于Django Rest Framework 删除 csrf的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
