djangocsrfgoogle-cloud-endpoints

csrf_exempt set but CSRF Failed: Referer checking failed - no Referer

I have a backend API, it's in django and deployed on Google Endpoint. I have a post request that insert data to my DB.

I created a script to use this endpoint but I got this error:

{"detail":"CSRF Failed: Referer checking failed - no Referer."}

Regarding over posts I added the crsf_exempt decorator to my class but it did not change.
I try to add the decorator two ways:

class AddUser(APIView):
    """ Create user and company from csv """

    @method_decorator(csrf_exempt)
    def post(self, request):


@method_decorator(csrf_exempt, name='dispatch')
class AddUser(APIView):
    """ Create user and company from csv """

    def post(self, request):

But both failed.

This is how I contact my endpoint:

resp = requests.request(
    method, url,
    headers={'Authorization': 'Bearer {}'.format(
        open_id_connect_token)}, **kwargs)

Any ideas ? Thanks

EDIT

So I tried to add authentication classes to my views but it appears to be a bad idea. This is being real trouble for me.

I tried to get the csrftoken doing like this:

        client = requests.session()
        # Retrieve the CSRF token first
        client.get(url)  # sets cookie
        print(client.cookies)
        if 'csrftoken' in client.cookies:
            # Django 1.6 and up
            csrftoken = client.cookies['csrftoken']
        else:
            # older versions
            csrftoken = client.cookies

Thing is, I am using IAP to protect my API and I do not have any csrftoken cookie but I do have a something looking like this:

<RequestsCookieJar[<Cookie GCP_IAP_XSRF_NONCE_Q0sNuY-M83380ypJogZscg=1 for ...

How can I use this to make post request to my API ?

Solution

  • So after working on this project for a while this is what I learned regarding the CSRF using Django.

    First of all, if you are using django templates, or in any cases where your back-end and front-end are running behind the same server the most common practice is to use session for authentication. This is activated by default by DRF.
    This means that in your DRF configuration if you do not explicitly set the DEFAULT_AUTHENTICATION_CLASSES option default authentication will be set to Session + BasicAuth.
    In this configuration you'll need to manage the CSRF token as described in the documentation (https://docs.djangoproject.com/en/4.0/ref/csrf/).

    If your back-end and front-end are separated as in my case, using CSRF is not the only solution or even the recommended one. As in my case I use JWT behind IAP (Identity Aware Proxy, provided by google). I had to write my own authentication classes and then use it in my DRF conf:

    REST_FRAMEWORK = {

    'DEFAULT_AUTHENTICATION_CLASSES': [
      'main.authentication_backend.custom_auth.IAPAuthentication'],
    ...

}

    Here is explain how to write your own authentication class: https://www.django-rest-framework.org/api-guide/authentication/#custom-authentication.