Revisions to Django @csrf_exempt not working in class View

deleted 389 characters in body

edited Jun 8, 2021 at 1:41

24.3k
12
102
120

from django.core.urlresolvers import resolve   # django3.2+ # from django.urls import resolve # from django.utils.deprecation import MiddlewareMixin # class DisableCSRF(MiddlewareMixin):django2 class DisableCSRF(object): """Middleware for disabling CSRF in an specified app name. """ def process_request(self, request): """Preprocess the request. """ app_name = "api" # resolve may take a bunch of extra time to work # it is quicker to use re.match/compile and # check request.path_info # if re.search(r"api/v[0-9]+\.[0-9]+\.[0-9]+/", request.path_info):  if resolve(request.path_info).app_name == app_name: setattr(request, '_dont_enforce_csrf_checks', True) else: pass # check CSRF token validation

from django.core.urlresolvers import resolve   # django3.2+ # from django.urls import resolve # from django.utils.deprecation import MiddlewareMixin # class DisableCSRF(MiddlewareMixin): class DisableCSRF(object): """Middleware for disabling CSRF in an specified app name. """ def process_request(self, request): """Preprocess the request. """ app_name = "api" # resolve may take a bunch of extra time to work # it is quicker to use re.match/compile and # check request.path_info # if re.search(r"api/v[0-9]+\.[0-9]+\.[0-9]+/", request.path_info):  if resolve(request.path_info).app_name == app_name: setattr(request, '_dont_enforce_csrf_checks', True) else: pass # check CSRF token validation

from django.core.urlresolvers import resolve # django2 class DisableCSRF(object): """Middleware for disabling CSRF in an specified app name. """ def process_request(self, request): """Preprocess the request. """ app_name = "api" if resolve(request.path_info).app_name == app_name: setattr(request, '_dont_enforce_csrf_checks', True) else: pass # check CSRF token validation

added 83 characters in body

Source Link

edited Jun 8, 2021 at 1:24

jmunsch

24.3k
12
102
120

from django.core.urlresolvers import resolve # django3.2+ # from django.urls import resolve # from django.utils.deprecation import MiddlewareMixin # class DisableCSRF(MiddlewareMixin): class DisableCSRF(object): """Middleware for disabling CSRF in an specified app name. """ def process_request(self, request): """Preprocess the request. """ app_name = "api" # resolve may take a bunch of extra time to work # it is quicker to use re.match/compile and # check request.path_info # if re.search(r"api/v[0-9]+\.[0-9]+\.[0-9]+/", request.path_info): if resolve(request.path_info).app_name == app_name: setattr(request, '_dont_enforce_csrf_checks', True) else: pass # check CSRF token validation

from django.core.urlresolvers import resolve # django3.2+ # from django.urls import resolve # from django.utils.deprecation import MiddlewareMixin # class DisableCSRF(MiddlewareMixin): class DisableCSRF(object): """Middleware for disabling CSRF in an specified app name. """ def process_request(self, request): """Preprocess the request. """ app_name = "api" # resolve may take a bunch of extra time to work # it is quicker to use re.match/compile and # check request.path_info if resolve(request.path_info).app_name == app_name: setattr(request, '_dont_enforce_csrf_checks', True) else: pass # check CSRF token validation

from django.core.urlresolvers import resolve # django3.2+ # from django.urls import resolve # from django.utils.deprecation import MiddlewareMixin # class DisableCSRF(MiddlewareMixin): class DisableCSRF(object): """Middleware for disabling CSRF in an specified app name. """ def process_request(self, request): """Preprocess the request. """ app_name = "api" # resolve may take a bunch of extra time to work # it is quicker to use re.match/compile and # check request.path_info # if re.search(r"api/v[0-9]+\.[0-9]+\.[0-9]+/", request.path_info): if resolve(request.path_info).app_name == app_name: setattr(request, '_dont_enforce_csrf_checks', True) else: pass # check CSRF token validation

added 159 characters in body

Source Link

edited Jun 8, 2021 at 1:17

jmunsch

24.3k
12
102
120

I found out the way to solve this. You need to create a middleware that calls before any Session Middlewares and then check against your desired urls or app to exempt the CSRF token validation. So, the code would be like this:

settings.py

MIDDLEWARE_CLASSES = [ 'api.middleware.DisableCSRF', # custom middleware for API 'corsheaders.middleware.CorsMiddleware', 'django.middleware.common.CommonMiddleware', 'django.middleware.cache.UpdateCacheMiddleware', 'django.middleware.security.SecurityMiddleware', 'django.contrib.sessions.middleware.SessionMiddleware', 'a9.utils.middleware.LocaleMiddleware', 'django.middleware.common.CommonMiddleware', 'django.middleware.csrf.CsrfViewMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', 'a9.core.access.middleware.AccessMiddleware', 'django.contrib.auth.middleware.SessionAuthenticationMiddleware', 'django.contrib.messages.middleware.MessageMiddleware', 'django.middleware.clickjacking.XFrameOptionsMiddleware', 'django.middleware.cache.FetchFromCacheMiddleware', ]

urls.py

app_name = "api" urlpatterns = [ url(r'^v1/', include([ url(r'^', include(router.urls)), url(r'^auth/', MyAuthentication.as_view()), url(r'^o/', include('oauth2_provider.urls', namespace='oauth2_provider')), url(r'^admin/', include(admin.site.urls)), ])), ]

csrf_disable.py

from django.core.urlresolvers import resolve # django3.2+ # from django.urls import resolve # from django.utils.deprecation import MiddlewareMixin # class DisableCSRF(MiddlewareMixin): class DisableCSRF(object): """Middleware for disabling CSRF in an specified app name. """ def process_request(self, request): """Preprocess the request. """ app_name = "api" # resolve may take a bunch of extra time to work # it is quicker to use re.match/compile and # check request.path_info if resolve(request.path_info).app_name == app_name: setattr(request, '_dont_enforce_csrf_checks', True) else: pass # check CSRF token validation

This will only check CSRF token against a specific app or url without removing all the CSRF. Also, this is django-rest-framework independent :)

I found out the way to solve this. You need to create a middleware that calls before any Session Middlewares and then check against your desired urls or app to exempt the CSRF token validation. So, the code would be like this:

settings.py

MIDDLEWARE_CLASSES = [ 'api.middleware.DisableCSRF', # custom middleware for API 'corsheaders.middleware.CorsMiddleware', 'django.middleware.common.CommonMiddleware', 'django.middleware.cache.UpdateCacheMiddleware', 'django.middleware.security.SecurityMiddleware', 'django.contrib.sessions.middleware.SessionMiddleware', 'a9.utils.middleware.LocaleMiddleware', 'django.middleware.common.CommonMiddleware', 'django.middleware.csrf.CsrfViewMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', 'a9.core.access.middleware.AccessMiddleware', 'django.contrib.auth.middleware.SessionAuthenticationMiddleware', 'django.contrib.messages.middleware.MessageMiddleware', 'django.middleware.clickjacking.XFrameOptionsMiddleware', 'django.middleware.cache.FetchFromCacheMiddleware', ]

urls.py

app_name = "api" urlpatterns = [ url(r'^v1/', include([ url(r'^', include(router.urls)), url(r'^auth/', MyAuthentication.as_view()), url(r'^o/', include('oauth2_provider.urls', namespace='oauth2_provider')), url(r'^admin/', include(admin.site.urls)), ])), ]

csrf_disable.py

from django.core.urlresolvers import resolve # django3.2+ # from django.urls import resolve # from django.utils.deprecation import MiddlewareMixin # class DisableCSRF(MiddlewareMixin): class DisableCSRF(object): """Middleware for disabling CSRF in an specified app name. """ def process_request(self, request): """Preprocess the request. """ app_name = "api" if resolve(request.path_info).app_name == app_name: setattr(request, '_dont_enforce_csrf_checks', True) else: pass # check CSRF token validation

This will only check CSRF token against a specific app or url without removing all the CSRF. Also, this is django-rest-framework independent :)

I found out the way to solve this. You need to create a middleware that calls before any Session Middlewares and then check against your desired urls or app to exempt the CSRF token validation. So, the code would be like this:

settings.py

MIDDLEWARE_CLASSES = [ 'api.middleware.DisableCSRF', # custom middleware for API 'corsheaders.middleware.CorsMiddleware', 'django.middleware.common.CommonMiddleware', 'django.middleware.cache.UpdateCacheMiddleware', 'django.middleware.security.SecurityMiddleware', 'django.contrib.sessions.middleware.SessionMiddleware', 'a9.utils.middleware.LocaleMiddleware', 'django.middleware.common.CommonMiddleware', 'django.middleware.csrf.CsrfViewMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', 'a9.core.access.middleware.AccessMiddleware', 'django.contrib.auth.middleware.SessionAuthenticationMiddleware', 'django.contrib.messages.middleware.MessageMiddleware', 'django.middleware.clickjacking.XFrameOptionsMiddleware', 'django.middleware.cache.FetchFromCacheMiddleware', ]

urls.py

app_name = "api" urlpatterns = [ url(r'^v1/', include([ url(r'^', include(router.urls)), url(r'^auth/', MyAuthentication.as_view()), url(r'^o/', include('oauth2_provider.urls', namespace='oauth2_provider')), url(r'^admin/', include(admin.site.urls)), ])), ]

csrf_disable.py

from django.core.urlresolvers import resolve # django3.2+ # from django.urls import resolve # from django.utils.deprecation import MiddlewareMixin # class DisableCSRF(MiddlewareMixin): class DisableCSRF(object): """Middleware for disabling CSRF in an specified app name. """ def process_request(self, request): """Preprocess the request. """ app_name = "api" # resolve may take a bunch of extra time to work # it is quicker to use re.match/compile and # check request.path_info if resolve(request.path_info).app_name == app_name: setattr(request, '_dont_enforce_csrf_checks', True) else: pass # check CSRF token validation

This will only check CSRF token against a specific app or url without removing all the CSRF. Also, this is django-rest-framework independent :)