Open kramarz opened 8 years ago
The better work around, I believe, is to have more than one endpoint (one for token, one for session) rather than using internal logic or overriding DRF. There's no reason for the Token and Session login/logouts to share code and in practice there's a good chance (especially if you're looking at using this project) you will end up using both flavors.
Check out http://www.django-rest-framework.org/api-guide/authentication/#sessionauthentication . Read Warning section. DRF APIView forces csrf_exempt decorator and handles csrf itself but only for requests which has user authenticated(request.user.is_authenticated()==True).
As workaround you can add something like this: