https://supertokens.com/ logo
#support-questions
Title
# support-questions
e

execreate

05/07/2022, 5:47 AM
Hey guys, I have CSRF related question. We are using passwordless auth on our Python Django backend (we use Django Rest Framework). From Django CSRF settings I have configured the following:
Copy code
python
CSRF_TRUSTED_ORIGINS=[domain_names]
CSRF_COOKIE_SECURE = True
The issue we are getting is that POST requests we are getting this response:
Copy code
json
{
    "detail": "CSRF Failed: CSRF token missing."
}
r

rp

05/07/2022, 5:48 AM
hey @execreate
you not need to use Django's CSRF protection. Cause supertokens provides this by itself
e

execreate

05/07/2022, 5:48 AM
hmm
e

execreate

05/07/2022, 5:50 AM
Yeah, I have read that. My assumption was that it is somehow integrated with Django's CSRF middleware So you mean all I have to do is to remove the 'django.middleware.csrf.CsrfViewMiddleware' from my Django settings?
r

rp

05/07/2022, 5:50 AM
Yea. I think so
just disable django's CSRF check entirely
e

execreate

05/07/2022, 5:51 AM
okay! thank you @rp 🙂
r

rp

05/07/2022, 5:51 AM
lmk how it goes 🙂
e

execreate

05/07/2022, 6:00 AM
The error still persists 🤔 Here is my middleware list:
Copy code
python
['corsheaders.middleware.CorsMiddleware',
 'django.middleware.security.SecurityMiddleware',
 'django.contrib.sessions.middleware.SessionMiddleware',
 'django.middleware.common.CommonMiddleware',
 'django.contrib.auth.middleware.AuthenticationMiddleware',
 'django.contrib.messages.middleware.MessageMiddleware',
 'django.middleware.clickjacking.XFrameOptionsMiddleware',
 'django.middleware.locale.LocaleMiddleware',
 'supertokens_python.framework.django.django_middleware.middleware']
Rest framework settings:
Copy code
python
REST_FRAMEWORK = {
    'DEFAULT_SCHEMA_CLASS': 'drf_spectacular.openapi.AutoSchema',
    'DEFAULT_FILTER_BACKENDS': ['django_filters.rest_framework.DjangoFilterBackend'],
}
and the endpoint I am fetching is protected with
supertokens_python.recipe.session.framework.django.syncio.verify_session
i can see that
csrftoken
is there in the request cookies do you think the problem might be that the frontend is not sending me the same cookie in
X-CSRFToken
header?
r

rp

05/07/2022, 6:16 AM
> i can see that csrftoken is there in the request cookies This means django's CSRF is still in play.
try this:
Copy code
['corsheaders.middleware.CorsMiddleware',
 'django.middleware.security.SecurityMiddleware',
 'django.contrib.sessions.middleware.SessionMiddleware',
 'django.middleware.common.CommonMiddleware',
 'django.contrib.messages.middleware.MessageMiddleware',
 'django.middleware.clickjacking.XFrameOptionsMiddleware',
 'django.middleware.locale.LocaleMiddleware',
 'supertokens_python.framework.django.django_middleware.middleware']
(i removed the
django.contrib.auth.middleware.AuthenticationMiddleware
)
if it still works, i'd remove everything except for
supertokens_python.framework.django.django_middleware.middleware
, then add things one by one until I hit the issue again
e

execreate

05/07/2022, 6:32 AM
thanks:) i'll try it now
okay, so the problem was with the drf session authentication (which is set by default) -- it forces CSRF middleware even if you don't include it in your settings
r

rp

05/07/2022, 6:47 AM
I see! Thanks for the info
e

execreate

05/07/2022, 7:04 AM
btw, looks like it's not necessary to remove CSRF middleware it's enough to remove SessionAuthentication from DjangoRestFramework
5 Views