I\'m using Django 1.7 and django-rest-framework.
I made an API that returns me some JSON data putting this in my settings.py
REST_FRAMEW
// USING AJAX TO UPDATE DATABASE THROUGH REST API
function getCookie(name) {
var cookieValue = null;
if (document.cookie && document.cookie !== '') {
var cookies = document.cookie.split(';');
for (var i = 0; i < cookies.length; i++) {
var cookie = jQuery.trim(cookies[i]);
if (cookie.substring(0, name.length + 1) === (name + '=')) {
cookieValue = decodeURIComponent(cookie.substring(name.length + 1));
break;
}
}
}
return cookieValue;
}
var csrftoken = getCookie('csrftoken');
function csrfSafeMethod(method) {
// these HTTP methods do not require CSRF protection
return (/^(GET|HEAD|OPTIONS|TRACE)$/.test(method));
}
$.ajaxSetup({
beforeSend: function (xhr, settings) {
if (!csrfSafeMethod(settings.type) && !this.crossDomain) {
xhr.setRequestHeader("X-CSRFToken", csrftoken);
}
}
});
The easiest way to solve this error, I found on here. It works for me perfectly.
Steps:
Inherit the SessionAuthentication class:
from rest_framework.authentication import SessionAuthentication, BasicAuthentication
class CsrfExemptSessionAuthentication(SessionAuthentication):
def enforce_csrf(self, request):
return # To not perform the csrf check previously happening
Then in the APIView you have created, do this:
class Object(APIView):
authentication_classes = (CsrfExemptSessionAuthentication, BasicAuthentication)
def post(self, request, format=None):
This will keep you logged-in and your CSRF token will no longer be checked for this APIView.
I think it is a cookie issue.
Permanent Solution: If you are using Postman, First, clear the existing cookies by clicking 'X' s. Then add correct cookie.
Temporary Solution (for debugging): Try this in your settings.py
:
'DEFAULT_AUTHENTICATION_CLASSES': [
# 'rest_framework.authentication.SessionAuthentication',
'rest_framework.authentication.BasicAuthentication',
]
This is what i did to solve it, i included csrf token to the form and using jquery/ javascrip got the csrf token like this when document loaded
var $crf_token = $('[name="csrfmiddlewaretoken"]').attr('value');
the included it on jquery headers as follow
$.ajax({
type: "POST",
url: "/api/endpoint/",
data: newEndpoint,
headers:{"X-CSRFToken": $crf_token},
success: function (newEnd) {
console.log(newEnd);
add_end(newEnd);
},
error: function () {
alert("There was an error")
}
});
I had a similar problem where I'd wrapped the views with csrf_exempt
and was still encountering errors. It turned out that I was getting the URL wrong, so it was resolved to a "not found" callback (which wasn't exempt from CSRF) and was hence throwing an exception before I could be told that the URL was wrong.
Get token from cookie:
function readCookie(name) {
var nameEQ = name + "=";
var ca = document.cookie.split(';');
for(var i=0;i < ca.length;i++) {
var c = ca[i];
while (c.charAt(0)==' ') c = c.substring(1,c.length);
if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length);
}
return null;
}
var csrftoken = readCookie('csrftoken');
Send token in headers POST request:
this.$http.post(server,{params: {foo: 'bar'}}, {headers: {"X-CSRFToken":csrftoken }}).then(function (response) {
this.response = response.data;
},
function (response) {
console.log(response);
});