CSRF protection for Django and Angular application - django

I have an application with Django in backend and Angular in frontend. I am serving the application through Django. I want to write an API in django to perform edit on Angular form. For now I have written the API using #csrf exempt decorator on top of the view. But now I want to remove #csrf exempt decorator and want to protect it from csrf.
How to proceed for this.

Related

Postman with Django REST and AngularJS

I have a Django REST framework API which is accessed with a AngularJS frontend.
If I had a Django App called models, I could simply request its data in Postman simply by sending a GET to the URL localhost:8000/models/.
But since everything is routed through AngularJS and every Django App has multiple Controllers, that doesn't work. The GET on localhost:8000/models/ returns just the index.html, the entry point of the AngularJS.
So how can I achieve to send GET, POST etc. to the API?
BTW: I managed to get an X-CSRFToken by sending POST to http://localhost:8000/api/auth/login/ with login and password keys ans values. That URL was included in the Django Projects urls.py as urlpatterns.
No such urlpattern for the App models, or any other Django App, though.

Django rest_api and React

I am creating an am using Django and React. I have created custom user model api in Django using rest-framework, but i am confused about the whole login and signup system. Do we create login and signup modules in Django or React.
Can anyone please guide me through it, or suggest any tutorial.
You create the templates (login, signup, etc. pages) in React and connect them to DRF. There are multiple ways to perform authentication. Take a look to Authentication docs on DRF. https://django-rest-framework.org/api-guide/authentication

Django Authentication and ReactJS Templates

I have an existing login template served by django templates and it has no react components at all. I have recently integrated ReactJS and have created some routes and components and pages that are completely react. Now I am wondering how to get a user to login through the django template and then be redirected to the ReactJS page afterwards and pass on all the authentication/user information to ReactJS as well.
In Django, I am using the session authentication middleware.
I have done that just allowing an open url to my component something like ".../app/*". But this inside a template in Django as a bundle. What I do is to bind the view with that with LogginRequired from django-brases. So, if I want to se my app, I have to be authenticated. I hope this could help you.

Check django user outside django

I have one django app and few small Flask webservices.
In Flask apps I need to validate if the client logged in Django app and grab his pk if possible.
It seems to be possible by taking session ID from a cookie and manually looking into session storage, but I am looking for some less low-level solution.
You need to build a REST api to do that. In the api on the django side you would query the user by whatever criteria you provided and return user.is_authenticated() and user.pk. Take a look at django-rest-framework or tastypie. Then on Flask app you just hit the api and you are done.

Using Django Rest Framework for only certain apps inside Django Application

I'm not sure if this is possible since an extensive search gave me nothing. Or I might be searching the wrong terms.
Now I have a few apps inside my Django application as follows:
--AppOne
--AppTwo
--ExtendedAdmin
manage.py
Now, AppOne and AppTwo use Django Rest Framework and its related Token Auth Mechanism. For the extendedAdmin, I'd like to use native Django Auth or even SessionAuth of DRF since I'm trying to add quite an extensive admin panel to the application. I've not been able to find a satisfactory way of customizing Django Rest Framework to work it's auth mechanisms only for certain applications. Is there a way to do this? If not, what should I be doing different?
So far, I know you cannot. Because django rest framework intercepts the url and then performs its own logic of token validation. But there are solutions that you can use to keep both Session and Token Authentication.
I am using this for all my projects -
I keep Session Authentication for all urls that will be accessed for normal browsing
and I use api urls with django rest framework to be prefixed with /api for my api urls
For example -
The Session Based login is at http://<host>/account/login
and TokenBased login is at http://<host>/api/account/login
The easiest way to make prefixed url for django rest framework is by using Routers - http://www.django-rest-framework.org/api-guide/routers/#defaultrouter
Example -
class UserViewSet(ModelViewSet): # just a sample view set
...
router = routers.SimpleRouter()
router.register(r'api/users', UserViewSet)