How to stop django from choking on expired csrf token?

petasis · November 9, 2023, 3:50pm

Hi all,

I have an angular application that uses django as a backend. The app allows to login/logout, and uses CSRF tokens. Everything works.

BUT, now, I want to have a route in my angular app, that is accessible by anyone. This calls a django rest view (APIView) from drf.
The view has:

class VisualiseAnnotationView(APIView):
    permission_classes = (AllowAny,)

No csrf protection, no authentication, nothing.

It works, from a browser in incognito mode. If I use normal browser mode, well the cookies from the app are send over to django. This includes the CSRF token.
If it is valid, everything works. If it has expired, django gives an authentication error, even when I haven’t specified this.

How to make django ignore the CSRF token (even if provided) for this API view?

KenWhitesell · November 9, 2023, 3:54pm

Check out the csrf_exempt decorator.

petasis · November 9, 2023, 6:00pm

I tried, but I don’t know how to use it in DRF APIViews.
I get an error.

petasis · November 10, 2023, 11:13am

I have added @method_decorator(csrf_exempt, name='dispatch'), and hope for the best.

(Just in case, I have added a server alias, so requests now come from a different host, so cookies of the previous host are not send…)

Topic		Replies	Views
[SOLVED] AllowAny override does not work on APIView Using Django	2	2599	September 19, 2021
CSRF protection for REST APIs Using Django	3	2141	December 1, 2021
How to authenticate using external endpoint Using Django	3	1229	April 22, 2021
Django and CORS Getting Started	8	12793	January 29, 2024
Security Best Practices for an API with DRF Using Django	2	1997	November 24, 2019

How to stop django from choking on expired csrf token?

Related Topics