IMHO if a client passes the credentials and has a valid token, then CSRF token should NOT be required. The token is a sacred thing, if you have it, then you get what you are entitled to.
With the current behavior, one must either not log in through the same browser or delete the cookie which logs the user out anyways. The workaround is use different browsers for testing the SPA and the django admin. On Wednesday, 19 June 2013 03:56:14 UTC-4, Tom Christie wrote: > > > I am wondering why this happens as I was under the impression > django-rest-framework was usually CSRF exempt > > To clarify, session authenticated requests are CSRF protected, all other > requests are not. > What this means is: > > * Requests that are authenticated via session auth (ie. There is a logged > in user making a request) require CSRF protection. > * Requests that are authenticated via non-session auth (eg. > TokenAuthentication) do not require CSRF proection. > * Anonymous requests do not require CSRF protection. > > The only reason you should be getting a CSRF failure is if you're making > the request as a logged in user. > > Of course if you've got a logged in session, you shouldn't need to be > calling obtain_auth_token, because all your requests will already be > authenticated. Normally this case is where the API client is javascript > making AJAX requests, and running in the context of a session that the user > has logged into your app. You *could* still call obtain_auth_token, which > might make sense perhaps if this is part of a front end that's handing out > tokens to the developer (rather than handing them to be used by the client > app), tho you would need to include the CSRF token in the request, as > described in the Django docs > <https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#ajax>. > > So, question - what client are you using to make the requests? If you > don't believe that the behavior is correct (eg you don't believe the > requests are being made by a logged in user) then what is the simplest way > someone could replicate the behavior (eg what exact commands are you > running the client with). > > I hope this helps explain adequately, it's a difficult area to document > and describe well - let us know what resolution you reach, or if this > remains an issue that needs further attention. > > All the best, > > Tom > > > On Wednesday, 19 June 2013 05:49:35 UTC+1, Nigel Daniels wrote: >> >> kinda surprised no one has an answer. >> >> On Friday, June 14, 2013 7:09:50 PM UTC-7, Nigel Daniels wrote: >>> >>> I am calling obtain.auth_token from urls as follows >>> >>> url(r'^api-token/','rest_framework.authtoken.views.obtain_auth_token') >>> >>> I get back >>> >>> { >>> detail: "CSRF Failed: CSRF token missing or incorrect."} >>> >>> I am wondering why this happens as I was under the impression >>> django-rest-framework was usually CSRF exempt >>> >>> Thanks >>> >>> -- You received this message because you are subscribed to the Google Groups "Django REST framework" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
