Django REST Framework Forbidden CSRF cookie not set - django

I have this view
from rest_framework import parsers, renderers
from rest_framework.authtoken.models import Token
from rest_framework.authtoken.serializers import AuthTokenSerializer
from rest_framework.response import Response
from rest_framework.views import APIView
from .serializers import EmailUserSerializer
from django.utils.decorators import method_decorator
from django.views.decorators.csrf import csrf_exempt
#method_decorator(csrf_exempt, name='post')
class ObtainAuthToken(APIView):
throttle_classes = ()
permission_classes = ()
parser_classes = (parsers.FormParser, parsers.MultiPartParser, parsers.JSONParser,)
renderer_classes = (renderers.JSONRenderer,)
serializer_class = AuthTokenSerializer
def post(self, request, *args, **kwargs):
serializer = self.serializer_class(data=request.data)
serializer.is_valid(raise_exception=True)
user = serializer.validated_data['user']
token, created = Token.objects.get_or_create(user=user)
user_serializer = EmailUserSerializer(user)
return Response({'token': token.key, 'user': user_serializer.data})
obtain_auth_token = ObtainAuthToken.as_view()
and this url
urlpatterns = [
url(r'^login/$',views.obtain_auth_token, name='get_auth_token'),
url(r'^login2/$',ObtainAuthToken, name='get_auth_token'),
]
i'm trying posting with postman like this:
127.0.0.1:8000/api/login2/
but i can only receive this error
Forbidden (CSRF cookie not set.): /api/login2/
[02/Jul/2017 22:49:11] "POST /api/login2/ HTTP/1.1" 403 2891
I know there are hundreds of post like this, I searched for a long time a solution but nothing seems working
tryied like this
urlpatterns = patterns('',
url('^login2/$', csrf_exempt(ObtainAuthToken)),
...
)
this
from django.utils.decorators import method_decorator
class LoginView(APIView):
#method_decorator(csfr_exempt)
def dispatch(self, *args, **kwargs):
...
and also this
from django.utils.decorators import method_decorator
#method_decorator(csrf_exempt, name='dispatch')
class LoginView(APIView):
...
and this
#method_decorator(csrf_exempt, name='post')
class ObtainAuthToken(APIView):
throttle_classes = ()
...
#csrf_exempt
def post(self, request, *args, **kwargs):
serializer = self.serializer_class(data=request.data)

You need to use ObtainAuthToken.as_view(). Any APIView automatically uses csrf_exempt() (and explicitly checks the CSRF token if you're using SessionAuthentication), but that won't work if you're not using .as_view(). You don't have to explicitly use csrf_exempt on top of what APIView does.
I'm not sure why you're not using the first url, /login/, but if you're having issues with that url, you're going the wrong way fixing them.
On a side note: csrf_exempt sets an attribute on the function. As such, using it on post() has absolutely no effect, since the middleware won't check the attributes on the post() method. You need to use it on the dispatch() method or as csrf_exempt(ObtainAuthToken.as_view()).

Related

Django Testing for Login and token collection

Trying to write test for Django login. I want to request to login, collect token and access different view functions. How do I write a test in python for this.
It depends on your authentication system, if you use Django default auth, you can just use its helper method login(**credentials) or force_login https://docs.djangoproject.com/en/4.1/topics/testing/tools/#django.test.Client.login
If you use Django Rest Framework with additional 3rd auth system you can use its testing class
from rest_framework.test import APITestCase
class TestMyProtectedView(APITestCase):
def setUp(self) -> None:
self.client.login(user, password)
def test_view(self):
# now you can access your view with logged-in user in setUp
response = self.client.get('/api/views/')
Just like described in Django and DRF documentations. It would be something like:
tests.py
from django.test import TestCase
from django.urls import reverse
from django.contrib.auth import get_user_model
from rest_framework.authtoken.models import Token
from rest_framework.test import APIClient
from rest_framework import status
# Create your tests here.
class UserLoginTestCase(TestCase):
def setUp(self):
self.client = APIClient()
self.admin_user = get_user_model().objects.create_superuser(
email='admin#example.com',
password='testpass123',
)
def test_user_create_or_collect_token(self):
"""User check token created if in post save signal format"""
token = Token.objects.get(user__email=self.admin_user.email)
self.assertTrue(token.key)
def test_user_authenticated(self):
"""Check if user is authenticated"""
token = Token.objects.get(user__email=self.admin_user.email)
self.client.credentials(HTTP_AUTHORIZATION='Token ' + token.key)
r = self.client.get(reverse('user:me'))
self.assertEqual(r.status_code, status.HTTP_200_OK)
def test_user_login(self):
"""test user login"""
url = reverse('user:login')
data = {
'username': 'admin#example.com',
'password': 'testpass123'
}
r = self.client.post(url, data, format='json')
self.assertEqual(r.status_code, status.HTTP_200_OK)
self.assertTrue(r.data['token'])
urls.py
from .api.views import CustomAuthToken, UserAuthenticated
from django.urls import path
app_name = 'user'
urlpatterns = [
path('login/', CustomAuthToken.as_view(), name='login'),
path('me/', UserAuthenticated.as_view(), name='me'),
]
views.py
from rest_framework.views import APIView
from rest_framework.authtoken.views import ObtainAuthToken
from rest_framework.authtoken.models import Token
from rest_framework.response import Response
from rest_framework import authentication, permissions
from core.models import User
class CustomAuthToken(ObtainAuthToken):
def post(self, request, *args, **kwargs):
serializer = self.serializer_class(data=request.data,
context={'request': request})
serializer.is_valid(raise_exception=True)
user = serializer.validated_data['user']
token, created = Token.objects.get_or_create(user=user)
return Response({
'token': token.key,
'user_name': user.name,
'email': user.email
})
class UserAuthenticated(APIView):
queryset = User.objects.all()
authentication_classes = [authentication.TokenAuthentication]
permission_classes = [permissions.IsAdminUser]
def get(self, request):
""" Check if user is authenticated by checking token against db """
is_authenticated = True
return Response({'isAuthenticated': is_authenticated})
Usually, tests are written for both positive and negative outcomes.
Note that in this case in particular I have a custom user model, and also extended the built-in ObtainAuthToken view.

How do I return a 401 response in a SimpleJWT Custom Token when using the Django Rest Framework?

I would like to return a 401 message if the user is not enabled. When I try returning a response instead of a token it doesn't work which I understand to be because the serializer is expecting the token. How do I customise it to send a 401 response if the user is not enabled please?
My custom token class is as below:
from rest_framework_simplejwt.serializers import TokenObtainPairSerializer
from rest_framework_simplejwt.views import TokenObtainPairView
from rest_framework import status
from rest_framework.response import Response
class CustomTokenObtainPairSerializer(TokenObtainPairSerializer):
#classmethod
def get_token(cls, user):
if user.is_enabled:
token = super().get_token(user)
# Add custom claims
token['name'] = user.name
token['gender'] = user.gender
return token
else:
return Response({'detail':'Account not enabled'}, status=status.HTTP_401_UNAUTHORIZED)
class CustomTokenObtainPairView(TokenObtainPairView):
serializer_class = CustomTokenObtainPairSerializer
The URL root looks like:
re_path(r'^authenticate/',CustomTokenObtainPairView.as_view(), name='authenticate'),
This is what works for me, it's a simple solution and gives me the result I need which is why I'm posting this as an answer.
from rest_framework_simplejwt.serializers import TokenObtainPairSerializer
from rest_framework_simplejwt.views import TokenObtainPairView
from rest_framework import status
from rest_framework.response import Response
from rest_framework_simplejwt.exceptions import InvalidToken
class CustomTokenObtainPairSerializer(TokenObtainPairSerializer):
#classmethod
def get_token(cls, user):
if user.is_enabled:
token = super().get_token(user)
# Add custom claims
token['name'] = user.name
token['gender'] = user.gender
return token
else:
raise InvalidToken("User is not enabled.")
You can return some symbol like None in Python from get_token if the user is not enabled and then override the get method of CustomTokenObtainPairView to return 401 if the value of get_token is None.
EDIT: Found a better way, move the check of is_enabled to the post request from the serializer. Below is the code.
class CustomTokenObtainPairSerializer(TokenObtainPairSerializer):
#classmethod
def get_token(cls, user):
token = super().get_token(user)
# Add custom claims
token['name'] = user.name
token['gender'] = user.gender
return token
from rest_framework.permissions import IsAuthenticated
class CustomTokenObtainPairView(TokenObtainPairView):
permission_classes = [IsAuthenticated]
serializer_class = CustomTokenObtainPairSerializer
def post(self, request, *args, **kwargs):
is self.request.user.is_enabled:
return super().post(request, *args, **kwargs)
else:
return Response({'detail':'Account not enabled'}, status=status.HTTP_401_UNAUTHORIZED)

Django rest framework model viewset extra action responding always "Not found" error

why does setting customize actions for the model view set is not working well?
from topbar.models import TopBar
this is the relevant part in viewset code:
from rest_framework import viewsets
from rest_framework.decorators import action
from rest_framework import permissions
from rest_framework.exceptions import NotAcceptable
from rest_framework.response import Response
from rest_framework.decorators import action
from topbar.serializers import TopBarSerializer
class TopBarSet(viewsets.ModelViewSet):
"""
API endpoint from top bar content
"""
queryset = TopBar.objects.all()
serializer_class = TopBarSerializer
permission_classes = [permissions.IsAuthenticated]
http_method_names = ['get', 'post', 'put']
#action(detail=True, methods=['get'])
def set_topbar(self, request):
return Response({'status': 'topbar set'})
I'm using routing exactly like the documentation:
router = routers.DefaultRouter()
router.register(r'topbar', TopBarSet, basename='topbar')
You have set detail=True in the route hence DRF will create a detail view route for you and it needs an identifier like a primary key.
So, set detail=False
class TopBarSet(viewsets.ModelViewSet):
queryset = TopBar.objects.all()
serializer_class = TopBarSerializer
permission_classes = [permissions.IsAuthenticated]
http_method_names = ['get', 'post', 'put']
#action(detail=False, methods=['get'])
def set_topbar(self, request):
return Response({'status': 'topbar set'})
Now, try the URL topbar/set_topbar/ to access the custom route.

How do I combine multiple models into a single serializer?

it was necessary to combine several models(4) in one serializer, but there were problems with the implementation.
urls.py
from django.urls import path
from .views import FiltersView
urlpatterns = [
path('filters/' FiltersView.as_view(), name='Filters')
]
views.py
from rest_framework import views
from rest_framework.response import Response
from rest_framework.status import HTTP_200_OK
from .serializers import FiltersSerializers
class FiltersView(views.APIView):
def get(self, request, *args, **kwargs):
filters = {}
filters['model_1'] = Model1.objects.all()
filters['model_2'] = Model2.objects.all()
filters['model_3'] = Model3.objects.all()
serializer = FiltersSerializers(filters, many=True)
return Response (serializer.data, status=HTTP_200_OK)
serializers.py
from rest_framework import serializers
class FiltersSerializers(serializers.Serializer):
model_1 = Model1Serializers(read_only=True, many=True)
model_2 = Model2Serializers(read_only=True)
model_3 = Model3Serializers(read_only=True)
But on the output I get:
HTTP 200 OK
Allow: GET, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
[
{},
{},
{}
]
What could be the problem?
The way you are providing data to your serializer, many=True is not correct argument for it. Its a single object that you are passing to your serializer. Your view should be like this.
class FiltersView(views.APIView):
def get(self, request, *args, **kwargs):
filters = {}
filters['model_1'] = Model1.objects.all()
filters['model_2'] = Model2.objects.all()
filters['model_3'] = Model3.objects.all()
serializer = FiltersSerializers(filters)
return Response (serializer.data, status=HTTP_200_OK)

How do you return 404 when resource is not found in Django REST Framework

When a user inputs a url that is wrong, my Django app returns an HTML error. How can I get DRF to return a json formatted error?
Currently my urls is
from django.conf.urls import url
from snippets import views
urlpatterns = [
url(r'^snippets/$', views.snippet_list),
url(r'^snippets/(?P<pk>[0-9]+)/$', views.snippet_detail),
]
but if a user goes to 127.0.0.1:8000/snip They get the html formatted error rather than a json formatted error.
Simply way to do it, you can use raise Http404, here is your views.py
from django.http import Http404
from rest_framework import status
from rest_framework.response import Response
from rest_framework.views import APIView
from yourapp.models import Snippet
from yourapp.serializer import SnippetSerializer
class SnippetDetailView(APIView):
def get_object(self, pk):
try:
return Snippet.objects.get(pk=pk)
except Snippet.DoesNotExist:
raise Http404
def get(self, request, pk, format=None):
snippet = self.get_object(pk)
serializer = SnippetSerializer(snippet)
return Response(serializer.data, status=status.HTTP_200_OK)
You also can handle it with Response(status=status.HTTP_404_NOT_FOUND), this answer is how to do with it: https://stackoverflow.com/a/24420524/6396981
But previously, inside your serializer.py
from rest_framework import serializers
from yourapp.models import Snippet
class SnippetSerializer(serializers.ModelSerializer):
user = serializers.CharField(
source='user.pk',
read_only=True
)
photo = serializers.ImageField(
max_length=None,
use_url=True
)
....
class Meta:
model = Snippet
fields = ('user', 'title', 'photo', 'description')
def create(self, validated_data):
return Snippet.objects.create(**validated_data)
To test it, an example using curl command;
$ curl -X GET http://localhost:8000/snippets/<pk>/
# example;
$ curl -X GET http://localhost:8000/snippets/99999/
Hope it can help..
Update
If you want to handle for all error 404 urls with DRF, DRF also provide about it with APIException, this answer may help you; https://stackoverflow.com/a/30628065/6396981
I'll give an example how do with it;
1. views.py
from rest_framework.exceptions import NotFound
def error404(request):
raise NotFound(detail="Error 404, page not found", code=404)
2. urls.py
from django.conf.urls import (
handler400, handler403, handler404, handler500)
from yourapp.views import error404
handler404 = error404
Makesure your DEBUG = False
from rest_framework import status
from rest_framework.response import Response
# return 404 status code
return Response({'status': 'details'}, status=status.HTTP_404_NOT_FOUND)
An easier way is to use get_object_or_404 method in django:
as described in this link:
get_object_or_404(klass, *args, kwargs)
- Calls get() on a given model manager, but it raises Http404 instead of the model’s DoesNotExist exception.
- klass: A Model class, a Manager, or a QuerySet instance from which to get the object.
As an example, pay attention to
obj = get_object_or_404(Snippet, pk=pk)
return obj
in the following code:
from django.shortcuts import get_object_or_404
from snippets.models import Snippet
from snippets.serializers import SnippetSerializer
from rest_framework.views import APIView
from rest_framework.response import Response
class SnippetDetail(APIView):
"""
Retrieve, update or delete a snippet instance.
"""
def get_object(self, pk):
obj = get_object_or_404(Snippet, pk=pk)
return obj
def get(self, request, pk, format=None):
snippet = self.get_object(pk)
serializer = SnippetSerializer(snippet)
return Response(serializer.data)
...
Or simply, you can use the same structure of DRF, without losing I18N and keep the same DRF error message:
from rest_framework import viewsets, status, exceptions
from rest_framework.decorators import action
from rest_framework.response import Response
try:
codename = get_or_bad_request(self.request.query_params, 'myparam')
return Response(self.get_serializer(MyModel.objects.get(myparam=codename), many=False).data)
except MyModel.DoesNotExist as ex:
exc = exceptions.NotFound()
data = {'detail': exc.detail}
return Response(data, exc.status_code)