Hey guys I have CSRF related question We are using passwordl SuperTokens.com #support-questions

Hey guys, I have CSRF related question. We are usi...

execreate

05/07/2022, 5:47 AM

Hey guys, I have CSRF related question. We are using passwordless auth on our Python Django backend (we use Django Rest Framework). From Django CSRF settings I have configured the following:

Copy code

python
CSRF_TRUSTED_ORIGINS=[domain_names]
CSRF_COOKIE_SECURE = True

The issue we are getting is that POST requests we are getting this response:

Copy code

json
{
    "detail": "CSRF Failed: CSRF token missing."
}

05/07/2022, 5:48 AM

hey @execreate

05/07/2022, 5:48 AM

you not need to use Django's CSRF protection. Cause supertokens provides this by itself

execreate

05/07/2022, 5:48 AM

hmm

05/07/2022, 5:49 AM

https://supertokens.com/docs/session/common-customizations/sessions/anti-csrf

execreate

05/07/2022, 5:50 AM

Yeah, I have read that. My assumption was that it is somehow integrated with Django's CSRF middleware So you mean all I have to do is to remove the 'django.middleware.csrf.CsrfViewMiddleware' from my Django settings?

05/07/2022, 5:50 AM

Yea. I think so

05/07/2022, 5:50 AM

just disable django's CSRF check entirely

execreate

05/07/2022, 5:51 AM

okay! thank you @rp 🙂

05/07/2022, 5:51 AM

lmk how it goes 🙂

execreate

05/07/2022, 6:00 AM

The error still persists 🤔 Here is my middleware list:

Copy code

python
['corsheaders.middleware.CorsMiddleware',
 'django.middleware.security.SecurityMiddleware',
 'django.contrib.sessions.middleware.SessionMiddleware',
 'django.middleware.common.CommonMiddleware',
 'django.contrib.auth.middleware.AuthenticationMiddleware',
 'django.contrib.messages.middleware.MessageMiddleware',
 'django.middleware.clickjacking.XFrameOptionsMiddleware',
 'django.middleware.locale.LocaleMiddleware',
 'supertokens_python.framework.django.django_middleware.middleware']

execreate

05/07/2022, 6:02 AM

Rest framework settings:

Copy code

python
REST_FRAMEWORK = {
    'DEFAULT_SCHEMA_CLASS': 'drf_spectacular.openapi.AutoSchema',
    'DEFAULT_FILTER_BACKENDS': ['django_filters.rest_framework.DjangoFilterBackend'],
}

and the endpoint I am fetching is protected with

supertokens_python.recipe.session.framework.django.syncio.verify_session

execreate

05/07/2022, 6:08 AM

i can see that

csrftoken

is there in the request cookies do you think the problem might be that the frontend is not sending me the same cookie in

X-CSRFToken

header?

05/07/2022, 6:16 AM

> i can see that csrftoken is there in the request cookies This means django's CSRF is still in play.

05/07/2022, 6:17 AM

try this:

Copy code

['corsheaders.middleware.CorsMiddleware',
 'django.middleware.security.SecurityMiddleware',
 'django.contrib.sessions.middleware.SessionMiddleware',
 'django.middleware.common.CommonMiddleware',
 'django.contrib.messages.middleware.MessageMiddleware',
 'django.middleware.clickjacking.XFrameOptionsMiddleware',
 'django.middleware.locale.LocaleMiddleware',
 'supertokens_python.framework.django.django_middleware.middleware']

05/07/2022, 6:17 AM

(i removed the

django.contrib.auth.middleware.AuthenticationMiddleware

)

05/07/2022, 6:17 AM

if it still works, i'd remove everything except for

supertokens_python.framework.django.django_middleware.middleware

, then add things one by one until I hit the issue again

execreate

05/07/2022, 6:32 AM

thanks:) i'll try it now

execreate

05/07/2022, 6:46 AM

okay, so the problem was with the drf session authentication (which is set by default) -- it forces CSRF middleware even if you don't include it in your settings

05/07/2022, 6:47 AM

I see! Thanks for the info

execreate

05/07/2022, 7:04 AM

btw, looks like it's not necessary to remove CSRF middleware it's enough to remove SessionAuthentication from DjangoRestFramework

5 Views

Previous Next