Closed gnuletik closed 4 years ago
Droping Django's CSRF check would raise a security issue.
As the current authentication mechanism (cookie + CSRF) is raising this issue and #165. I guess that we the simplest solution is to switch to JWT.
I don't really understand your point:
Hi @Tointoin,
I meant to switch to JWT for the applications on another domain like the player (sorry for the imprecision). We can (and should) keep the cokkie + csrf auth for the django app / admin.
I've started implementing the JWT auth on the player. Hopefully I'll be able to release it today :)
We can (and should) keep the cokkie + csrf auth for the django app / admin.
Yep I've been thinking about that too. Simplest is indeed to keep both.
Hi @Tointoin, The JWT authentication is now implemented on the player. I'm closing the issue as we can keep both authenticating mode on the API.
Thanks!
When trying to make an HTTP POST request, I get the following error from Django:
CSRF Failed: Referer checking failed - Referer is insecure while host is secure
This error seems to be generated by Django's CSRF check which rejects requests where the
Referer
HTTP header is not on one of Django's HTTP configured domains.I tried to send this request with JWT authentication
And it worked without any issue.
Droping Django's CSRF check would raise a security issue.
As the current authentication mechanism (cookie + CSRF) is raising this issue and https://github.com/Parisson/TimeSide/issues/165. I guess that we the simplest solution is to switch to JWT.