发表新帖
发表新帖

Django check CSRF token manually

后端 未结
关注
4 1004
伪装坚强ぢ
伪装坚强ぢ 2021-02-08 02:27

I am implementing an API that works either with an API key, or with a CSRF token. The goal is for it to be usable either by a web app (protected by CSRF) or by a third party app

相关标签:
4条回答
  • 谎友^
    2021-02-08 02:58

    You can use builtin csrf verification like this:

    from django.middleware.csrf import CsrfViewMiddleware

def check_csrf(request):
  reason = CsrfViewMiddleware().process_view(request, None, (), {})
  if reason:
    # CSRF failed
    raise PermissionException() # do what you need to do here
    0 讨论(0)
  • 南方客
    2021-02-08 03:04

    You could probably subclass the CsrfViewMiddleware class and override the process_view method. Then include your custom middleware instead of the default CSRF one.

    from django.middleware.csrf import CsrfViewMiddleware

class CustomCsrfMiddleware(CsrfViewMiddleware):

    def process_view(self, request, callback, callback_args, callback_kwargs):
        if request.META.get('api_key'):
            # process api key
        else:
            return super(CsrfViewMiddleware, self).process_view(...)
    0 讨论(0)
  • 旧巷少年郎
    2021-02-08 03:04

    In my case, I wanted to POST some raw data with CSRF check.

    So, I use this decorator requires_csrf_token in the view which process POST data : 

    from django.views.decorators.csrf import requires_csrf_token

@requires_csrf_token
def manage_trade_allocation_update(request):

    In my template, I added csrf_token génération and put it in data post : 

    {% csrf_token %}
...
data['csrfmiddlewaretoken'] = document.querySelector('input[name="csrfmiddlewaretoken"]').value;

    With this mecanism, I can use CSRF protection with manual HTTP POST request.

    0 讨论(0)
  • 傲寒
    2021-02-08 03:19

    I've been accessing the CsrfViewMiddleware like Aldarund has shown but more needs to be said about this kind of solution:

    1. If you are performing the test in a view, then you can return reason directly. According to how Django middleware works, when process_view returns something else than None, then it must be a HttpResponse object so it can just be returned by the view.

      There may be cases where you do not want to return reason directly, but if there is no reason not to do so, I'd rather return it, for consistency with how the site behaves in other cases.

    2. If you use the test in a run-of-the-mill view, and you already use CsrfViewMiddleware site-wide, it is usually the case that request will already have passed once through CsrfViewMiddleware. (Yes, it can happen. I have a case where a request I receive is modified and retested through CsrfViewMiddleWare after it has already been tested by CsrfViewMiddleware due to the site-wide configuration.) However, the middleware sets csrf_processing_done on request after it tests it and won't retest it if it is called again, because of this flag. So csrf_processing_done has to be reset to False to perform a second test.

    Here's an illustration of the above:

    from django.middleware.csrf import CsrfViewMiddleware

def view(request):
    request.csrf_processing_done = False
    reason = CsrfViewMiddleware().process_view(request, None, (), {})
    if reason is not None:
        return reason # Failed the test, stop here.

    # process the request...
    0 讨论(0)
 看不清?
提交回复
热议问题