The setup is django 1.10 DRF, using url('^', include('django.contrib.auth.urls')), for authentication.
I'm upgrading from django 1.8 to 1.10.
The issue is that hitting the password_reset endpoint, with postman for instance, at http://localhost:4200/v1/password_reset/ requires a CSRF token in the cookie, which I do not have.
What am I missing? I tried comparing the login workflow to the password_reset workflow. Both views have the decorator #csrf_protect. But when hitting the login endpoint, in middleware/csrf.py, the login view has the csrf_exempt flag on. Furthermore, when we hit the login endpoint, the backend sends back the csrftoken data for the cookie. Nothing like that happens for password_reset.
Any ideas as to what I'm missing or how I could troubleshoot further?
Related
Forbidden (403)
CSRF verification failed. Request aborted.
Help
Reason given for failure:
Origin checking failed - https//:webiste does not match any trusted origins.
In general, this can occur when there is a genuine Cross Site Request Forgery, or when Django’s CSRF mechanism has not been used correctly. For POST forms, you need to ensure:
Your browser is accepting cookies.
The view function passes a request to the template’s render method.
In the template, there is a {% csrf_token %} template tag inside each POST form that targets an internal URL.
If you are not using CsrfViewMiddleware, then you must use csrf_protect on any views that use the csrf_token template tag, as well as those that accept the POST data.
The form has a valid CSRF token. After logging in in another browser tab or hitting the back button after a login, you may need to reload the page with the form, because the token is rotated after a login.
I added csrf_token_origin but it didn't worked for me and currently i am using python 3.11.0
CSRF_TRUSTED_ORIGINS = ['']
I faced the same issue
All i had to do was to install corsheaders using
pip install django-cors-headers
Then add this to your settings.py file under MIDDLEWARE
CSRF_TRUSTED_ORIGINS = ['example.com']
My app has a Django 3.1 backend with django-allauth and dj-rest-auth (actively supported fork of django-rest-auth).
My mobile and web frontends can already sign in using Facebook and Google via REST. I'm now trying to add Salesforce as a 3rd REST social login method, but am running into issues.
I've followed the django-allauth instructions for Salesforce:
Created a Salesforce Connected App with id and openid scopes (along with some others), and set the callback URL to https://www.mywebdomain.com/accounts/salesforce/login/callback/
Created a SocialApplication in Django with client ID, secret, and login URL in the "Key" field (https://login.salesforce.com/)
Included allauth.socialaccount.providers.salesforce in INSTALLED_APPS
I've been using client-side JSforce to kick off the Salesforce auth request in the frontend, but I'm open to other methods if they are simpler/better/etc.
Running jsforce.browser.login() in my clients' JS code opens a Salesforce login popup. After entering Salesforce login credentials, the Salesforce system redirected to my defined callback URL, resulting in a page that shows the following text:
Social Network Login Failure
An error occurred while attempting to login via your social network account.
The URL in the address bar on that page looks something like this:
https://www.mywebdomain.com/accounts/salesforce/login/callback/#access_token=00D3t000004QWRm%21ARwAQPfHWiM6jdB43dlyW6qjEw._34mjzGi_Jv6YCXp0QssT.9F9lCge5_YaH8gqTy3Od6SywCs8X9zOGv145SyviBVeGdn0&instance_url=https%3A%2F%2Fna123.salesforce.com&id=https%3A%2F%2Flogin.salesforce.com%2Fid%2F00D3t000004QWRmEAO%2F0053t000008QBetAAG&issued_at=1606802917608&signature=KvxAX0WBCFQYY%2BO25id9%2FXxpbh2q2d2vWdQ%2FFV5FCBw%3D&state=jsforce0.popup.c0ockgct29g&scope=id+api+web+refresh_token+openid&token_type=Bearer
I tried to debug and print the error in my backend, but both auth_error.code and auth_error.exception were blank/empty.
I also tried sending the access_token from that URL's hash to my Salesforce API endpoint (see below), but that resulted in a 400 error ("Incorrect value").
Here is how I've defined my SocialLoginViews in my views.py, based on dj-rest-auth's social auth documentation:
from dj_rest_auth.registration.views import SocialLoginView
from allauth.socialaccount.providers.facebook.views import FacebookOAuth2Adapter
from allauth.socialaccount.providers.google.views import GoogleOAuth2Adapter
from allauth.socialaccount.providers.salesforce.views import SalesforceOAuth2Adapter
class FacebookLogin(SocialLoginView):
adapter_class = FacebookOAuth2Adapter
class GoogleLogin(SocialLoginView):
adapter_class = GoogleOAuth2Adapter
class SalesforceLogin(SocialLoginView):
adapter_class = SalesforceOAuth2Adapter
My urls.py:
from .views import FacebookLogin, GoogleLogin, SalesforceLogin
urlpatterns = [
...
# Sending access_token to the Facebook and Google REST endpoints works,
# but doing the same for the Salesforce REST endpoint does not (400 error: "Incorrect value")
url(r'^api/rest-auth/facebook/$', FacebookLogin.as_view(), name='fb_login'),
url(r'^api/rest-auth/google/$', GoogleLogin.as_view(), name='google_login'),
url(r'^api/rest-auth/salesforce/$', SalesforceLogin.as_view(), name='salesforce_login'),
...
]
How can Salesforce social auth be made to work in this app?
I figured it out and got it working: when posting to my dj-rest-auth Salesforce API endpoint, I was only including access_token in my POST body. I actually need both access_token and key, where key is the Salesforce login URL ("https://login.salesforce.com").
It was indeed in the django-allauth instructions for Salesforce, but I misinterpreted the wording. I now know that it says to require both access_token and key in the POST body.
I'm trying to access the below URL using HTTPResponseRedirect which is protected by Django_restframework_simplejwt. I would like to redirect to below URL after the signup success, for the email and mobile verification.
http://base_url/acc_verification
Assuming, I do have an access token, Now, How do I set the Authorization token in the request header to load the above page.
Authorization: Token
Python - 3.6.8
Django - 2.2.3
djangorestframework_simplejwt - Latest
I am able to receive a facebook authentication access_token from django-rest-auth by following their instructions in their docs, but it doesn't look like it's a JWT token generated by django-rest-framework-jwt.
I did set REST_USE_JWT = True in settings.py. That's all I've done, I'm not sure if there's anything else I need to do to ensure that the token is being generated by JWT.
I set up an endpoint to verify a jwt token like so:
from rest_framework_jwt.views import obtain_jwt_token, verify_jwt_token
urlpatterns = [
url(r'^api/token-verify/', verify_jwt_token),
]
that's how I'm testing if the access token received by this endpoint
url(r'^rest-auth/facebook/$', views.FacebookLogin.as_view(), name='fb_login'),
is a valid JWT token. When I try to verify the token I get an error Error decoding signature.
On a side note, I noticed when I try to do a POST request to rest-auth/facebook/ API endpoint twice using the same access_token returned by a Facebook login I am receiving a 403 Forbidden from django.
Can someone please explain a bit how to make JWT work with django-rest-auth?
I am using djoser for authorization. i want to logout using djoser - /auth/logout/ but it require token data using POST method.
my URL is,
url(r'^logout/$', "{}/auth/logout/".format(API_URL), {'token':token}),
how do i bind post data into it? and how to call external API from urls.py along with POST data
Note : My djoser was in another django app. i need to do external API call for logout.