I have an angular application that uses django as a backend. The app allows to login/logout, and uses CSRF tokens. Everything works.
BUT, now, I want to have a route in my angular app, that is accessible by anyone. This calls a django rest view (APIView) from drf.
The view has:
class VisualiseAnnotationView(APIView): permission_classes = (AllowAny,)
No csrf protection, no authentication, nothing.
It works, from a browser in incognito mode. If I use normal browser mode, well the cookies from the app are send over to django. This includes the CSRF token.
If it is valid, everything works. If it has expired, django gives an authentication error, even when I haven’t specified this.
How to make django ignore the CSRF token (even if provided) for this API view?