I have an application in Django 1.9 that uses session middleware. I want to create an API for this application in the same project, but it can’t use @ CSRF when making a post request_ Exempt comment

settings.py

MIDDLEWARE_CLASSES = [
    'corsheaders.middleware.CorsMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.middleware.cache.UpdateCacheMiddleware',
    'django.middleware.security.SecurityMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'a9.utils.middleware.LocaleMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'a9.core.access.middleware.AccessMiddleware',
    'django.contrib.auth.middleware.SessionAuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
    'django.middleware.cache.FetchFromCacheMiddleware',    
]

OAUTH2_PROVIDER = {
    # this is the list of available scopes
    'SCOPES': {'read': 'Read scope', 'write': 'Write scope', 'groups': 'Access to your groups'}
}

CORS_ORIGIN_ALLOW_ALL = True
CORS_ALLOW_METHODS = (
    'DELETE',
    'GET',
    'OPTIONS',
    'PATCH',
    'POST',
    'PUT',
)
CORS_ALLOW_HEADERS = (
    'accept',
    'accept-encoding',
    'authorization',
    'content-type',
    'dnt',
    'origin',
    'user-agent',
    'x-csrftoken',
    'x-requested-with',
)

REST_FRAMEWORK = {
    # Use Django's standard `django.contrib.auth` permissions,
    # or allow read-only access for unauthenticated users.
    'DEFAULT_PERMISSION_CLASSES': [
        'rest_framework.permissions.DjangoModelPermissionsOrAnonReadOnly',
        #'rest_framework.permissions.IsAuthenticated',
    ],
    'DEFAULT_AUTHENTICATION_CLASSES': (
        'oauth2_provider.ext.rest_framework.OAuth2Authentication',
        #'rest_framework.authentication.TokenAuthentication',
    )
}

urls.py

urlpatterns = [
    url(r'^v1/', include([
        url(r'^', include(router.urls)),
        url(r'^auth/', MyAuthentication.as_view()),
        url(r'^o/', include('oauth2_provider.urls', namespace='oauth2_provider')),
        url(r'^admin/', include(admin.site.urls)),
    ])),
]

views.py

@method_decorator(csrf_exempt, name='dispatch')
class MyAuthentication(TemplateView):

    def post(self, request, *args, **kwargs):

        return HttpResponse('Hello, World!')

After that, I always encountered a CSRF verification failure error

I found a solution. You need to create a middleware that is invoked before any Session Middlewares, and then check the URL or application you need to avoid CSRF token validation. So the code will look like this:

settings.py

MIDDLEWARE_CLASSES = [
'api.middleware.DisableCSRF'，＃Customized Middleware API  
'corsheaders.middleware.CorsMiddleware'，
'django.middleware.common .CommonMiddleware'，
'django.middleware.cache.UpdateCacheMiddleware'，
'django.middleware.security.SecurityMiddleware'，
'django.contrib.sessions.middleware.SessionMiddleware'，
'a9.utils.middleware.LocaleMiddleware'，
'django.middleware.common.CommonMiddleware'，
'django.middleware.csrf.CsrfViewMiddleware'，
'django.contrib.auth .middleware.AuthenticationMiddleware'，
'a9.core.access.middleware.AccessMiddleware'，
'django.contrib.auth.middleware.SessionAuthenticationMiddleware'，
'django.contrib.messages.middleware .MessageMiddleware'，
'django.middleware.clickjacking.XF rameOptionsMiddleware'，
'django.middleware.cache.FetchFromCacheMiddleware'，
] 

urls.py

app_name =“api”
 
 urlpatterns = [
 url（r'^ v1 /'，include（[
 url（r'^'，include（router.urls）），
 url（r'^ auth /'，MyAuthentication .as_view（）），
 url（r'^ o /'，include（'oauth2_provider.urls'，namespace ='oauth2_provider'）），
 url（r'^ admin /'，include admin.site.urls）），
]））
] 

csrf_disable.py

from django.core.urlresolvers import resolve


class DisableCSRF(object):
    """Middleware for disabling CSRF in an specified app name.
    """

    def process_request(self, request):
        """Preprocess the request.
        """
        app_name = "api"
        if resolve(request.path_info).app_name == app_name:
            setattr(request, '_dont_enforce_csrf_checks', True)
        else:
            pass  # check CSRF token validation

This will only check the specific application or URL of the CSRF token without removing all CSRF. In addition, this is Django rest framework independent:)

Similar Posts:

• Django admin Error: ‘WSGIRequest’ object has no attribute ‘user’
• ERRORS: ?: (corsheaders.E013) Origin ‘*’ in CORS_ORIGIN_WHITELIST is missing scheme or ne…
• [Django CSRF tutorial] solve the problem of forbidden (403) CSRF verification failed. Request aborted
• Vue + Django Project-Browser cross-domain error: Access-Control-Allow-Origin
• ImportError: cannot import name ‘patterns’
• How to Solve Django xadmin installation Error [7 Types of Errors]
• “No module named context_processors”
• [Solved] DjangoORM Run python manage.py makemigrations Error: no changes detected
• Error encountered in Django: forbidden CSRF cookie not set
• Forbidden (CSRF token missing or incorrect.):