DRF login security

I am developing an API that will be consumed by a mobile application.
The DRF’s documentation (Authentication - Django REST framework) says: Warning: Always use Django’s standard login view when creating login pages. This will ensure your login views are properly protected.”

I have the following in a custom view:

# ...
user = authenticate(username=data['username'], password=data['password'])
if user:
    login(request, user)
else:
    # ...

Is this insecure?

Hi Nanush,

The context around that message is that you should be using CSRF validation when using session authentication via AJAX.

1 Like