How to stop django from choking on expired csrf token?

Hi all,

I have an angular application that uses django as a backend. The app allows to login/logout, and uses CSRF tokens. Everything works.

BUT, now, I want to have a route in my angular app, that is accessible by anyone. This calls a django rest view (APIView) from drf.
The view has:

class VisualiseAnnotationView(APIView):
    permission_classes = (AllowAny,)

No csrf protection, no authentication, nothing.

It works, from a browser in incognito mode. If I use normal browser mode, well the cookies from the app are send over to django. This includes the CSRF token.
If it is valid, everything works. If it has expired, django gives an authentication error, even when I haven’t specified this.

How to make django ignore the CSRF token (even if provided) for this API view?

Check out the csrf_exempt decorator.

I tried, but I don’t know how to use it in DRF APIViews.
I get an error.

I have added @method_decorator(csrf_exempt, name='dispatch'), and hope for the best.

(Just in case, I have added a server alias, so requests now come from a different host, so cookies of the previous host are not send…)