Run django api from postman: CSRF verification failed
11,138
Solution 1
Try this.
from django.views.decorators.csrf import csrf_exempt
class ApiUserRegister(APIView):
permission_classes = ()
serializer_class = RegisterUserSerializer
@csrf_exempt
def post(self, request):
serializer = RegisterUserSerializer(data=request.data)
Solution 2
To make AJAX requests, you need to include CSRF token in the HTTP header, as described in the Django documentation.
1st option
Author by
zinon
Ph.D. on adaptive video delivery for real-time applications and mHealth systems.
Updated on June 17, 2022Comments
-
zinon almost 2 years
I'm trying to run an api using
postman
. My application is developed indjango 1.11.6
usingpython 3.5
.My app is installed on an
ubuntu
server. I have no login mechanism to create acsrf
token.These are the steps that I follow:
- Click on "import" tab on the upper left side.
- Select the Raw Text option and paste my
cURL
command. - Hit import and I have the command in your Postman builder
- Press send button.
My
curl
command is:curl -i -H 'Accept: application/json; indent=4' -X POST https://127.0.0.1/users/:register/ -d "id=111&firstname=zinonas&yearofbirth=2007&lastname=Antoniou&othernames="
The error I get is
Forbidden (403) - CSRF verification failed. Request aborted
.When I run the
curl command
viacygwin
, it's working properly.This is the view function that I'm using:
class ApiUserRegister(APIView): permission_classes = () serializer_class = RegisterUserSerializer def post(self, request): serializer = RegisterUserSerializer(data=request.data) # Check format and unique constraint serializer.is_valid(raise_exception=True) data = serializer.data if User.objects.filter(id=data['id']).exists(): user = User.objects.get(id=data['id']) is_new = "false" resp_status = status.HTTP_200_OK else: user = User.objects.create(id=data['id'], firstname=data['firstname'], yearofbirth=data['yearofbirth'], lastname=data['lastname'], othernames=data['othernames']) user.save() is_new = "true" resp_status = status.HTTP_201_CREATED resp = {"user": serializer.get_serialized(user), "isnew": is_new} return Response(resp, status=resp_status)
In
settings.py
I have:REST_FRAMEWORK = { 'DEFAULT_PERMISSION_CLASSES': ( 'rest_framework.permissions.IsAuthenticated', ), 'DEFAULT_AUTHENTICATION_CLASSES': ( 'rest_framework.authentication.SessionAuthentication', 'rest_framework.authentication.TokenAuthentication', 'rest_framework_jwt.authentication.JSONWebTokenAuthentication', ) }
-
zinon over 6 yearsUsing this I get
name 'csrf_exempt' is not defined
error. -
zinon over 6 yearsI get error
'function' object has no attribute 'as_view'
.Inurls.py
I have this line:url(r':register/$', views.ApiUserRegister.as_view(), name='register-user')
-
zinon over 6 yearsNo I get the error
The keyword argument "name" must be the name of a method of the decorated class: <class 'users.views.ApiUserRegister'>. Got '' instead
-
zinon over 6 yearsUnfortunately, no. I set
@method_decorator(csrf_exempt, name="post")
and now I get once againForbidden (403) CSRF verification failed. Request aborted.
-
zinon over 6 yearsI'm not using
jQuery
. I created an API to using via `android' app. -
zinon over 6 yearsIs
braces
a module that I can install usingpip3
? -
mohammedgqudah over 6 yearspip install django-braces
-
zinon over 6 yearsStill no luck
CSRF verification failed. Request aborted.
-
mohammedgqudah over 6 yearscsrfExpemntMixin should be the first then ApiView
-
zinon over 6 yearsYes, that's what I did.
-
zinon over 6 yearsCan you please give me an example?
-
mohammedgqudah over 6 yearstry adding authentication_classes = [] to the class
-
LennyLip over 6 years1. get csrftoken cookie with safe GET query (view can use ensure_csrf_cookie decorator) 2. use csrftoken in new POST query
-
python_user over 6 yearsRefer this. stackoverflow.com/questions/12174040/…
-
zinon over 6 yearsI'm not using any template.
-
Brian H. over 5 yearsThe answer does not address Postman, which is a key part of the question.
-
Mohammed Shareef C over 5 yearsThis is about rest API. So, why bother about CSRF token?
-
LennyLip over 5 years@MohammedShareefC yes, for android app we don't need CSRF, but security.stackexchange.com/questions/166724/…