Hello,
I’m working on a Django Project with a vue frontend.
The csrf middleware is set:
MIDDLEWARE = [
"django_prometheus.middleware.PrometheusBeforeMiddleware",
"config.middleware.MetricsMiddleware",
"django.middleware.security.SecurityMiddleware",
"corsheaders.middleware.CorsMiddleware",
"whitenoise.middleware.WhiteNoiseMiddleware",
"django.contrib.sessions.middleware.SessionMiddleware",
"django.middleware.locale.LocaleMiddleware",
"django.middleware.common.CommonMiddleware",
"django.middleware.csrf.CsrfViewMiddleware",
"django.contrib.auth.middleware.AuthenticationMiddleware",
"django.contrib.messages.middleware.MessageMiddleware",
"django.middleware.clickjacking.XFrameOptionsMiddleware",
"allauth.account.middleware.AccountMiddleware",
'm_ebs_backend.users.middleware.CurrentUserMiddleware',
'django_prometheus.middleware.PrometheusAfterMiddleware',
]
CSRF_COOKIE_HTTPONLY is False
CSRF_COOKIE_SECURE is True (runs on a server with https)
The cookie is used in frontend:
const headers = {
'X-CSRFToken': this.currentCsrfToken ?? '',
};
I’m using dj-rest-auth and the login as well as the user api call works fine, bun on logout I got this error. It can only b fixed by deleting the cookie and reload the page.
Here a few of my rest-auth settings:
AUTH_USER_MODEL = "users.User"
LOGIN_URL = 'rest_framework:login'
LOGOUT_URL = 'rest_framework:logout'
REST_AUTH = {
'LOGIN_SERIALIZER': 'dj_rest_auth.serializers.LoginSerializer',
'TOKEN_SERIALIZER': 'dj_rest_auth.serializers.TokenSerializer',
'JWT_SERIALIZER': 'dj_rest_auth.serializers.JWTSerializer',
'JWT_SERIALIZER_WITH_EXPIRATION': 'dj_rest_auth.serializers.JWTSerializerWithExpiration',
'JWT_TOKEN_CLAIMS_SERIALIZER': 'rest_framework_simplejwt.serializers.TokenObtainPairSerializer',
'USER_DETAILS_SERIALIZER': 'dj_rest_auth.serializers.UserDetailsSerializer',
'PASSWORD_RESET_SERIALIZER': 'dj_rest_auth.serializers.PasswordResetSerializer',
'PASSWORD_RESET_CONFIRM_SERIALIZER': 'dj_rest_auth.serializers.PasswordResetConfirmSerializer',
'PASSWORD_CHANGE_SERIALIZER': 'dj_rest_auth.serializers.PasswordChangeSerializer',
'REGISTER_SERIALIZER': 'dj_rest_auth.registration.serializers.RegisterSerializer',
'REGISTER_PERMISSION_CLASSES': ('rest_framework.permissions.AllowAny',),
'TOKEN_MODEL': 'rest_framework.authtoken.models.Token',
'TOKEN_CREATOR': 'dj_rest_auth.utils.default_create_token',
'PASSWORD_RESET_USE_SITES_DOMAIN': False,
'OLD_PASSWORD_FIELD_ENABLED': True,
'LOGOUT_ON_PASSWORD_CHANGE': True,
'SESSION_LOGIN': True,
}
I’ve been looking for a solution since weeks but without success. I would be very happy if someone can help, and I hope that I provided enough information. Otherwise, ask for more.