Is this what you are looking for:
https://docs.djangoproject.com/en/1.9/ref/csrf/
François
> On May 21, 2016, at 10:09 AM, Chris Troutner <chris.trout...@gmail.com> wrote:
>
> Yes, you're right that there is something confusing going on. I confess I
> don't know much about CSRF or authentication or Django. Because of that, I'm
> sure I presented it in a confusing way. That's all Bob's side of the stuff.
>
> I'm just trying to get my front end JavaScript to interact with the Django
> server side API and the key to doing that is to pass in the CSRF token in a
> way that makes Django happy. So far, I haven't figured out how to do that.
>
> -Chris
>
>
> On Saturday, May 21, 2016 at 2:16:17 AM UTC-7, Daniel Roseman wrote:
> On Saturday, 21 May 2016 02:36:15 UTC+1, Chris Troutner wrote:
> Hey all,
>
> This is my first time posting to the group. I'm working with Bob Hagan on the
> Network Resource Planning (NRP) project. The platform runs on Django and he's
> been using the REST API app to open up ports to some of the pieces of the
> software. Right now we're working on an interface for creating new users,
> which requires the passing of a CSRF token for authentication. I'm having a
> heck of a time and we can't figure out if the issue is something set up on
> the server or on my front end code. I'm hoping that the issue might be
> obvious to someone here.
>
> First of all, you can access the Django API code in the repository code here:
> https://github.com/valnet/valuenetwork/tree/master/valuenetwork/api
>
> My front end code is written in JavaScript can be viewed in it's own
> repository here:
> https://github.com/christroutner/rpiovn/blob/unstable/public/js/app/views/NRPUsersView.js
>
> This video gives a visual overview of the user interface and the general
> issues I'm experiencing:
> https://youtu.be/vaYCLmsi_hM
>
>
> NRPUsersView.js is a Backbone.js View file. If that doesn't mean anything to
> you, that's OK. The important thing to notice is the three different ways I
> tried to access the API.
> • I use JavaScript to fill out an HTML form. This is currently the only
> way that works at the moment.
>
> • A typical AJAX POST submission
>
> • A JavaScript Virtual Form using the FormData object.
> Method 3 should be identical to method 1 as far as the server is concerned,
> but the HTTP headers are slightly different. Like I said, methods 2 and 3 are
> not working out. I've tweaked the code every which way and I always get a
> "403 FORBIDDEN Authentication credentials were not provided" message.
>
> According to this Django documentation, there are three possible locations to
> put the CSRF token:
> • In the document.cookie
>
> • In the HTTP header preceded by "X-CSRFToken"
>
> • And a hidden input field in the form
>
> I've tried every combination of the three options for passing the CSRF token
> and haven't had any luck.
>
>
> Has anyone had experience implementing this type of API authentication with
> Django before? Any help you can provide would be appreciated.
>
>
> There's something a bit confused here. CSRF is not for authentication, and
> has nothing to do with it at all; it's a method of preventing a certain class
> of hack that would permit an attacker to hijack a user's session credentials.
> It really can't be used to authenticate a user for your API; there are plenty
> of other token-based ways of doing this.
> --
> DR.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-users+unsubscr...@googlegroups.com.
> To post to this group, send email to django-users@googlegroups.com.
> Visit this group at https://groups.google.com/group/django-users.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/1c7788e8-1567-4dcd-9cac-24a518ab7efa%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/3ED7FCFD-3B79-4576-B85F-9788E41D3781%40gmail.com.
For more options, visit https://groups.google.com/d/optout.
