Forbidden (403) CSRF verification failed. Request aborted. error while accessing API endpoint on postman

Using Django Forms & APIs
1

I have implemented my API with djoser but when i try to access the route http://127.0.0.1:8000/auth/user/ to create a new user in postman i receive the error Forbidden (403) CSRF verification failed. Request aborted. Here is a summary of my implementation.

SETTINGS file

INSTALLED_APPS = [
    'django.contrib.admin',
    'django.contrib.auth',
    'django.contrib.contenttypes',
    'django.contrib.sessions',
    'django.contrib.messages',
    'django.contrib.staticfiles',
    'corsheaders',
    'rest_framework',
    'djoser',
    'accounts',
]

MIDDLEWARE = [
    'django.middleware.security.SecurityMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'corsheaders.middleware.CorsMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
]

AUTH_USER_MODEL = 'accounts.UserAccount'

REST_FRAMEWORK = {
    'DEFAULT_PERMISSION_CLASSES': ['rest_framework.permissions.IsAuthenticated'],
    'DEFAULT_AUTHENTICATION_CLASSES': (
        'rest_framework_simplejwt.authentication.JWTAuthentication',
    ),
}

CORS_ALLOW_ALL_ORIGINS = True

DJOSER = {
    'LOGIN_FIELD' : 'email',
    'PASSWORD_RESET_CONFIRM_URL' : 'password-reset/{uid}/{token}',
    'USERNAME_RESET_CONFIRM_URL' : 'username-reset/{uid}/{token}',
    'SEND_ACTIVATION_EMAIL¶' : True,
    'SEND_CONFIRMATION_EMAIL' : True,
    'PASSWORD_CHANGED_EMAIL_CONFIRMATION' : True,
    'USERNAME_CHANGED_EMAIL_CONFIRMATION' : True,
    'ACTIVATION_URL' : 'activate/{uid}/{token}',
    'USER_CREATE_PASSWORD_RETYPE' : True,
    'SET_PASSWORD_RETYPE' : True,
    'PASSWORD_RESET_CONFIRM_RETYPE' : True,
    'USERNAME_RESET_CONFIRM_RETYPE' : True,
    'LOGOUT_ON_PASSWORD_CHANGE' : True,
    'SERIALIZERS' : {
        'user_create' : 'accounts.serializers.UserCreateSerializer',
        'user' : 'accounts.serializers.UserCreateSerializer',
        'user_delete' : 'djoser.serializers.UserDeleteSerializer',
    },
}

root urls.py


from django.urls import path, include, re_path
from django.views.generic import TemplateView

urlpatterns = [
    # path('admin/', admin.site.urls),
    path('auth/', include('djoser.urls')),
    path('auth/', include('djoser.urls.jwt')),
]

urlpatterns += [
    re_path(r'^.*', TemplateView.as_view(template_name='index.html'))
]

error on command prompt

Forbidden (CSRF cookie not set.): /auth/user/
[07/Sep/2023 13:51:15] "POST /auth/user/ HTTP/1.1" 403 2870

error on postman
image

Anyone with an idea what i might be doing wrong? thanks in advance

2

share it’s respective views and urls as well

3

You need to do a GET to allow Django to create and send the csrftoken cookie before you can do a POST. Your first call to a Django site cannot be a csrf-protected POST.

4

here is my urls.py


from django.urls import path, include, re_path
from django.views.generic import TemplateView

urlpatterns = [
    path('auth/', include('djoser.urls')),
    path('auth/', include('djoser.urls.jwt')),
]

urlpatterns += [
    re_path(r'^.*', TemplateView.as_view(template_name='index.html'))
]

my views.py is empty for now i think djoser takes care of that ?

5

but i cannot run GET on /auth/users/ because i should send data with the request.

6

Sure you can - without sending data.

Think about how normal form processing works with Django.

Your first request to a view retrieves the form, along with the csrfmiddlewaretoken as rendered by {% csrf_token %} and the csrftoken cookie.

Those are the data elements you need to be able to prepare for your post.

The subsequent request is the POST with the data to be submitted. It’s returning that data along with the form submission data.

It doesn’t matter whether you’re doing a traditional form POST or an AJAX-style JSON submission - the middleware doesn’t care about that.

Now, having said that, you don’t need to access the same url/view to get these elements. You could put together a simple view under a different url that you can use as the target for your initial GET. You could even write it to return the data as a JSONResponse to make it easier for your front-end to handle.

But either way, the initial GET is necessary to give you the cookie.

7

i solved it i noticed that i was sending the request to http://127.0.0.1:8000/auth/user/ instead of http://127.0.0.1:8000/auth/users/ . it worked thanks guys for your concern on my issue