CSRF失败:CSRF令牌丢失或不正确 [英] CSRF Failed: CSRF token missing or incorrect
问题描述
我创建了一个API,将我的一些JSON数据放在我的 settings.py
REST_FRAMEWORK = {
'DEFAULT_PERMISSION_CLASSES':('rest_framework permission.AllowAny',),
'DEFAULT_RENDERER_CLASSES':(
#'rest_framework.renderers.XMLRenderer',
'rest_framework.renderers.JSONRenderer',
#'rest_framework.renderers .BrowsableAPIRenderer',
)
}
当我进行GET调用给我所有的数据,但是当我尝试使用PUT / PATCH我得到:
--------响应标题---------
状态码:403
日期:Wed,29 Oct 2014 18:51:42 GMT
Vary:Cookie
服务器:WSGIServer / 0.1 Python / 2.7.8
允许:GET,POST,PUT,PATCH,HEAD,OPTIONS
X-Frame选项:SAMEORIGIN
内容类型:application / json
- --------------------------------
--------响应体-----------
{detail:CSRF失败:CSRF令牌丢失或不正确}
---------------------------------
只有当我登录时才会发生,如果我是匿名的,我可以正确地PUT / PATCH。
我尝试过与 @csrf_exempt ,我收到错误,我已经在设置中包含了 rest_framework.permissions.AllowAny / p>
我不知道发生了什么。有人知道问题是什么吗?
当您使用 SessionAuthentication ,您正在使用Django的身份验证,通常需要检查CSRF。 Django REST框架强制执行此操作,仅限于 SessionAuthentication ,因此必须在 X-CSRFToken 头文件中传递CSRF令牌。
Django文档提供有关使用jQuery检索CSRF令牌并在请求中发送CSRF令牌的更多信息。 CSRF令牌被保存为一个名为 csrftoken 的cookie,您可以从HTTP响应中检索,这取决于所使用的语言。
如果您无法检索CSRF cookie,通常是您不应该使用 SessionAuthentication 的标志。我建议您查看令牌认证或OAuth 2.0 ,具体取决于您的需要。
I'm using Django 1.7 and django-rest-framework.
I made an API that returns me some JSON data putting this in my settings.py
REST_FRAMEWORK = {
'DEFAULT_PERMISSION_CLASSES': ('rest_framework.permissions.AllowAny',),
'DEFAULT_RENDERER_CLASSES': (
# 'rest_framework.renderers.XMLRenderer',
'rest_framework.renderers.JSONRenderer',
# 'rest_framework.renderers.BrowsableAPIRenderer',
)
}
When I make GET calls, it returns me all the data, but when I try with PUT/PATCH I get:
--------Response Headers---------
Status Code: 403
Date: Wed, 29 Oct 2014 18:51:42 GMT
Vary: Cookie
Server: WSGIServer/0.1 Python/2.7.8
Allow: GET, POST, PUT, PATCH, HEAD, OPTIONS
X-Frame-Options: SAMEORIGIN
Content-Type: application/json
---------------------------------
--------Response Body-----------
{"detail": "CSRF Failed: CSRF token missing or incorrect."}
---------------------------------
This only happens when I am logged in, if I am anonymous I can PUT/PATCH correctly.
I have tried with @csrf_exempt and I got errors, I have included the rest_framework.permissions.AllowAny in the setting...
I have no idea what's going on. Does anyone know what the issue is?
When you are using SessionAuthentication, you are using Django's authentication which usually requires CSRF to be checked. Django REST Framework enforces this, only for SessionAuthentication, so you must pass the CSRF token in the X-CSRFToken header.
The Django documentation provides more information on retrieving the CSRF token using jQuery and sending it in requests. The CSRF token is saved as a cookie called csrftoken that you can retrieve from a HTTP response, which varies depending on the language that is being used.
If you cannot retrieve the CSRF cookie, this is usually a sign that you should not be using SessionAuthentication. I recommend looking into TokenAuthentication or OAuth 2.0 depending on your needs.
这篇关于CSRF失败:CSRF令牌丢失或不正确的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
