REST_SESSION_LOGIN = True is vulnerable to csrf atack.

Tivix / django-rest-auth

This app makes it extremely easy to build Django powered SPA's (Single Page App) or Mobile apps exposing all registration and authentication related functionality as CBV's (Class Base View) and REST (JSON)

www.tivix.com

MIT License

2.4k stars 663 forks source link

REST_SESSION_LOGIN = True is vulnerable to csrf atack. #241

Open kramarz opened 8 years ago

kramarz commented 8 years ago

Check out http://www.django-rest-framework.org/api-guide/authentication/#sessionauthentication . Read Warning section. DRF APIView forces csrf_exempt decorator and handles csrf itself but only for requests which has user authenticated(request.user.is_authenticated()==True).

As workaround you can add something like this:

@classmethod
def as_view(*args, **kwargs):
   view = super().as_view(*args, **kwargs)
   view.csrf_exempt = False
   return view

ghost commented 8 years ago

The better work around, I believe, is to have more than one endpoint (one for token, one for session) rather than using internal logic or overriding DRF. There's no reason for the Token and Session login/logouts to share code and in practice there's a good chance (especially if you're looking at using this project) you will end up using both flavors.