Django REST framework JWT 403 forbidden - django

I've gone through the installation steps in the django-rest-framework-jwt docs and I am unable to run the curl $ curl -X POST -d "username=admin&password=abc123" http://localhost:8000/api-token-auth/. I CANNOT get back the token! Instead I got back CSRF cookie error:
<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<meta name="robots" content="NONE,NOARCHIVE">
<title>403 Forbidden</title>
</head>
<body>
<div id="summary">
<h1>Forbidden <span>(403)</span></h1>
<p>CSRF verification failed. Request aborted.</p>
<p>You are seeing this message because this site requires a CSRF cookie when submitting forms. This cookie is required for security reasons, to ensure that your browser is not being hijacked by third parties.</p>
<p>If you have configured your browser to disable cookies, please re-enable them, at least for this site, or for 'same-origin' requests.</p>
</div>
<div id="info">
<h2>Help</h2>
<p>Reason given for failure:</p>
<pre>CSRF cookie not set.</pre>
<p>In general, this can occur when there is a genuine Cross Site Request Forgery, or when Django's CSRF mechanism has not been used correctly. For POST forms, you need to ensure:</p>
<ul>
<li>Your browser is accepting cookies.</li>
<li>The view function passes a <code>request</code> to the template's <code>render</code> method.</li>
<li>In the template, there is a <code>{% csrf_token %}</code> template tag inside each POST form that targets an internal URL.</li>
<li>If you are not using <code>CsrfViewMiddleware</code>, then you must use <code>csrf_protect</code> on any views that use the <code>csrf_token</code> template tag, as well as those that accept the POST data.</li>
</ul>
<p>You're seeing the help section of this page because you have <code>DEBUG = True</code> in your Django settings file. Change that to <code>False</code>, and only the initial error message will be displayed. </p>
<p>You can customize this page using the CSRF_FAILURE_VIEW setting.</p>
</div>
</body>

Related

After changing password don't redirect my desired page in django

path('password_change/done/', auth_views.PasswordChangeDoneView.as_view(template_name='registration/password_change_done.html'),
name='password_change_done'),
path('password_change/', auth_views.PasswordChangeView.as_view(template_name='registration/password_change.html'),
name='password_change'),
Here is my two url path. After changing password the new url should be 'password_change/done/' and should show some thing that is in template.
but when I change my password it goes to 'password_change/done/' url but shows something that is default in django saying password change succesful does not show login link that is in template. How can I fix this?
here is my template:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Title</title>
</head>
<body>
<div class="container">
<div class="d-flex flex-column">
<p class="m-auto">Your password has been set. You may go ahead and Login in now.</p>
</div>
</div>
</body>
</html>
You can read the documentations where you can find the correct path for the built in auth system
Django Docs
in your case your urls should be changed to this
path('accounts/password_change/done/', auth_views.PasswordChangeDoneView.as_view(template_name='registration/password_change_done.html'),
name='password_change_done'),
path('accounts/password_change/', auth_views.PasswordChangeView.as_view(template_name='registration/password_change.html'),
name='password_change'),
#you need also to add this to the urlpatterns of your project
path('accounts/', include('django.contrib.auth.urls')),

Forbidden 403 : CSRF Validation failed error in Firefox, not in chrome

I have a webpage with more than 1 form with POST. I have included {% csrf_token %} in each of the forms.
<form class="form-horizontal clearfix" role="form" id="Form1" method="post"> {% csrf_token %}
In my view I have used bot ensure_csrf_cookie and csrf_protect decorators
#ensure_csrf_cookie
#csrf_protect
#operation('monitor')
def monitor(request, **kwargs):
The first POST request fetches some details from the backend and displays it in the UI. After that, some data is requested from the user and then the second form is submitted.
In firefox: When I first load the page and after the first post the csrftoken is X. For the second post request also, the csrftoken cookie is the same. But once the error is thrown, the csrf cookie changes to a different value. If I refresh the page after that, csrftoken remains the same and if I post the request again it succeeds. I have also verified that the form has the hidden value csrfmiddlewaretoken. This matches the cookie. I don't see any 404 for favicon when the page is loaded. This was there before. But I fixed that and chrome started working.
In chrome: This is working.
Any pointers on how to solve this?
It was the favicon.ico not found error. I added this in my base.html.
<link rel="shortcut icon" type="image/png" href="{% static "tools/ico/favicon.ico" %}"/>
Reference: https://code.djangoproject.com/ticket/28488#comment:22

My django blogging apps facebook share buttonposts wrong images

I currently have a blogging app hosted on heroku with a facebook share button. I googled read some post hear and other sites and came to the conclusion that I'm supposed to use meta tags in my head. So after running my url through the facebook url debugger and seeing these results
Inferred Property The 'og:image' property should be explicitly provided, even if a value can be inferred from other tags.
Inferred Property The 'og:url' property should be explicitly provided, even if a value can be inferred from other tags.
Inferred Property The 'og:title' property should be explicitly provided, even if a value can be inferred from other tags.
Inferred Property The 'og:image' property should be explicitly provided, even if a value can be inferred from other tags.
Share App ID Missing The 'fb:app_id' property should be explicitly provided, Specify the app ID so that stories shared to Facebook will be properly attributed to the app. Alternatively, app_id can be set in url when open the share dialog.
I did this
{% block fb_meta %}
<!- Search for these meta tags -->
<meta property="og:title" content="{{ post.title }}" />
<meta property="og:image" content="{{ post.image_url }}" />
<meta property="og:description" content="{{post.body}}">
<meta property="og:site_name" content="ysite"/>
<meta property="og:url" content="http:mysitedotcom{{ post.get_absolute_url }}" />
<meta property="og:type" content="article" />
<meta property="og:locale" content="en_US" />
<!-- Author info -->
<meta property="article:author" content="https://www.facebook.com/profile.php?id=100013675372228" />
<meta property="article:publisher" content="https://www.facebook.com/profile.php?id=100013675372228" />
<!-- End -->
{% endblock fb_meta %}
on my detail page and this in my head
{% block fb_meta %}
{% endblock fb_meta %}
It still does not work and shows the wrong pic, even after I deleted it. And when I check my console everything shows in the tags
like this
What is my issue? thanks for all help
EDIT this is the out put when I enter a url at facebook debugger
another question does order matter?
the following has been working for me. I have been fetching new scrape information which has the effect of updating the pic and for others who mayneed this info in the future the following is from the face book docs
Pre-cache the image with the URL Debugger
Run the URL through the URL debugger to pre-fetch metadata for the page. You should also do this if you update the image for a piece of content.
Use og:image:width and og:image:height Open Graph tags
Using these tags will specify the image to the crawler so that it can render it immediately without having to asynchronously.

SOAP UI - 403 Error - You don't have permission to access /my-webservices/serviceName/ on this server

I sent a SOAP webservice request using SOAP UI and I got this error.
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
<title>403 Forbidden</title>
</head>
<body>
<h1>Forbidden</h1>
<p>You don't have permission to access /paga-webservices/businessService/on this server.</p>
</body>
</html>
The issue was: SOAP-UI added a port number (443) to the URL like
https://example.com:443/my-webservices/serviceName
Hence, removing the port number with the colon (:) solved the issue.
https://example.com/my-webservices/serviceName

Facebook Admin Link Missing

I recently created a facebook application for integrating a domain's webpages with facebook.
But I can't figure out why the Admin Link will not show on the webpage whilst logged into fb as the admin.
Reading the developer documentation can be a little confusing since there seem to be various methods of implementing the code required on each webpage. It is difficult to determine which namespace matches with which way to load the SDK and with which markup method.
I am attempting to do this for HTML5.
<!DOCTYPE HTML>
<!-- Whilst I have found many html namespace modifications for XFBML methods I did not see any requirements for html5 an d the following method -->
<html>
<!-- The head og namespace is taken from the fb developers app > open graph > object types > get code link -->
<head prefix="og: http://ogp.me/ns# fb: http://ogp.me/ns/fb# video: http://ogp.me/ns/video#">
<title>test</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<!-- The meta properties are also taken from the fb developers app > open graph > object types > get code link -->
<meta property="fb:app_id" content="APP ID NUMBER"/>
<meta property="og:type" content="video.movie" />
<meta property="og:url" content="http://www.domain.com/page.html"/>
<meta property="og:title" content="TITLE"/>
<meta property="og:description" content="DESCRIPTION."/>
<meta property="og:image" content="http://www.domain.com/og_thumb.jpg" />
<!-- The meta property here was not included with the above but is required according to https://developers.facebook.com/docs/reference/plugins/like/ -->
<meta property="og:site_name" content="SITE NAME" />
</head>
<body>
<!-- The following is the code given when using the "like" code generator from this page https://developers.facebook.com/docs/reference/plugins/like/ and selecting the "HTML5" option -->
<div id="fb-root"></div>
<script>(function(d, s, id) {
var js, fjs = d.getElementsByTagName(s)[0];
if (d.getElementById(id)) return;
js = d.createElement(s); js.id = id;
js.src = "//connect.facebook.net/en_GB/all.js#xfbml=1&appId=APP ID NUMBER";
fjs.parentNode.insertBefore(js, fjs);
}(document, 'script', 'facebook-jssdk'));</script>
<div class="fb-like" data-href="http://www.domain.com/page.html" data-send="true" data-layout="button_count" data-width="0" data-show-faces="false" data-font="arial"></div>
</body>
</html>
Whilst logged in as the admin user of the fb app I am able to visit the admin for the page by looking up the page name/id and append them to a url like so:
http://www.facebook.com/pages/TITLE-OF-PAGE/GRAPH-ID-NUMBER
I noticed this bug that seems related:
https://developers.facebook.com/bugs/178579068908181/
I understand that when using fb:admins the admin must "like" a page before being able to see the Admin Link.
However I am assuming that when using fb:app_id that it should not be necessary to "like" the page.
What am I missing to enable the Admin Link for the webpage ?
You should use both fb:app_id and fb:admins in the OG Markup. Don't forget to use the debug tool to scrape the page again so facebook knows that the details have changes. The admin link will only show if you have the fb:admins on the page.
You don't have to like the page, you could always wait for a user to like the page. Facebook will then create the associated page once it has enough likes and the admin link will appear correctly.