Hi, On Tuesday, April 18, 2023 at 10:57:55 PM UTC+2 jure.er...@gmail.com wrote:
Well, TBH, I've just completed dealing with CSRF form in my projects. I ended up exempting the particular view from CSRF because I didn't know how to get the stuff to work. The problem was that django parsed the body payload, which was JSON and thus rejected its contents (because it wasn't form payload type – POST method). As a result, DRF then had no payload to work with… I shouldn't go into too much detail as it's irrelevant to the point. I do not think this is true. Django only parses the POST data if the content-type is a form type, so if you are sending JSON properly Django will not parse the data and DRF can handle it just fine. But, I've been considering I need a modernised CSRF: currently it works by generating a new token every page served. But we have switched our front-end to SPA and that doesn't make much sense any more since CSRF token itself doesn't change at all, since Django template system only ever serves one page. AFAIK, DRF doesn't ganerate new tokens in its pipelines. That is not accurate either. The token does not change for every page served, only it's visual representation does. That means that you can keep using the same CSRF token even though it looks like it is different (note: This assume that you are not triggering a codepath that is rotating the token). Cheers, Florian -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/f64582bd-63ea-483a-aebc-2acc5dac6cdbn%40googlegroups.com.
