python - Django Rest Framework with Social Auth And Request Post (CSRF-Security) -

-

i need django rest , social auth.... have 1 view next structure...

class obtainauthtokenfacebook(apiview):     parser_classes = (parsers.formparser, parsers.multipartparser, parsers.jsonparser,)     renderer_classes = (renderers.jsonrenderer,)     serializer_class = authtokenserializer      def post(self, request, backend):          serializer = self.serializer_class(data=request.data)         user = register_by_access_token(request, backend)

and me fucntion login....

from django.contrib.auth import login   @psa('social:complete') def register_by_access_token(request, backend, *args, **kwargs):     access_token = request.data.get('token')     user = request.backend.do_auth(access_token)      if user:         login(request, user)         return user     else:         return 'error'

when in view send response.... front end recieve this...

http/1.0 200 ok date: fri, 07 aug 2015 18:53:31 gmt server: wsgiserver/0.1 python/2.7.9 vary: cookie x-frame-options: sameorigin content-type: application/json allow: post, options set-cookie:  csrftoken=pzhrahwhfsog2et6n5psckjbffepmpqr; expires=fri, 05-aug-2016 18:53:31 gmt; max-age=31449600; path=/ set-cookie:  sessionid=nhxbh9slhw3pw887necskqfohczkzxo3; expires=fri, 21-aug-2015 18:53:31 gmt; httponly; max-age=1209600; path=/

but.... moments working ios , ios save cookies of first request... , , when send same request cookies paste in headers .... server respond 1 403....this because code have structure this, request send csrftoken , 1 sessionid.. enter image description here

and when request arrive server , refuse request...

how manager csrf token in backend....to avoid reject future requests.....

django-restframework uses django's built-in csrf protection mechanisms , not implement own. may want disable csrf api endpoints client can post/put/patch them. can in 2 ways:

a) system-wide removing django.middleware.csrf.csrfviewmiddleware list of middlewares

b) selectively, decorating endpoints csrf_exempt. decorating cbvs methods class-wide, need use method_decorator decorator on dispatch method.

this way, clients of api don't need worry csrf token.

whatever choose above, reccomend first read docs on csrf in django aware of implications of disabling protection in part of application: https://docs.djangoproject.com/en/1.7/ref/contrib/csrf/

if works application needs, you're go :)


Comments

Post a Comment

Popular posts from this blog

yii2 - Yii 2 Running a Cron in the basic template -

-
i have seen instructions on running cron in advanced template, cant figure out how on basic template. have following controller in basic controllers folder. <?php namespace app\controllers; use yii\console\controller; /** * cron controller */ class croncontroller extends controller { public function actionindex() { echo "cron service runnning"; } public function actionmail($to) { echo "sending mail " . $to; } } i have navigated root of application , tried these comands yii cron php yii cron im getting unknown comand "cron" i know old question failed find actual answer this. if @ code yii exec file you'll notice requires /common/config/aliases.php file console/config/main.php. can naturally change these or copy on these advanced template. hope solves problem wanting same thing.
Read more

asp.net - 'System.Web.HttpContext' does not contain a definition for 'GetOwinContext' Mystery -

-
i realize question might seem trivial some, it's these types of things find myself fighting quite bit , want make sense of despite seeming losing battle in .net (for me anyway). so, if following: using system.web; ... applicationuser user = system.web.httpcontext.getowincontext().getusermanager<applicationusermanager>().findbyid(system.web.httpcontext.user.identity.getuserid()); that produces error in title , red getowincontext() , error cannot resolve symbol 'getowincontext()' however, if following (remove system.web in front of httpcontext ), works expected (or @ least no errors): using system.web; ... applicationuser user = httpcontext.getowincontext().getusermanager<applicationusermanager>().findbyid(system.web.httpcontext.user.identity.getuserid()); however, if (same line that's working using system.web commented out): //using system.web; ... applicationuser user = httpcontext.getowincontext().getusermana...
Read more

mercurial graft feature, can it copy? -

-
there new feature in mercurial 3, called 'graft' (graft local). job of moving change-set different branch. is there way "copy" change-set branch? i interested in in moving stuff qa branch production branch, still need code reside in qa. want copy. found , have tried few things, maybe it'll become clear more tinkering , reading... does have better way of 'cherry picking' change-sets move cross branch (or trunk)??? graft copies changesets, doesn't move them. hg graft (emphasis mine): this command uses mercurial's merge logic copy individual changes other branches without merging branches in history graph. known 'backporting' or 'cherry-picking' . default, graft copy user, date, , description source changesets.
Read more