Closed Andrioden closed 2 weeks ago
Bonus question: Why do i need to send X-CSRFToken
?
"X-CSRFToken": Cookies.get("csrftoken"),
Without django logs Forbidden (CSRF token missing.): /_allauth/browser/v1/auth/provider/redirect
. I would image allauth could take care of all that?
You do not need to send X-CSRFToken
to pass the CSRF protection. Instead, you could attach the token to the request body.
login: async function() {
await fetch("_allauth/browser/v1/auth/provider/redirect", {
method: "POST",
headers: {
"Content-Type": "application/x-www-form-urlencoded"
},
body: new URLSearchParams({
provider: this.type,
callback_url: "/account/logged-in/",
process: "login",
csrfmiddlewaretoken: Cookies.get("csrftoken")
})
})
}
Since Discord disallows that header, try this option. I think it should work.
See for example, the demo code.
This part from the docs is important:
As calling this endpoint results in a user facing redirect (302), this call is only available in a browser, and must be called in a synchronous (non-XHR) manner.
You are using fetch
-- just use a regular form POST (as in done in the demo code link above).
This part from the docs is important:
As calling this endpoint results in a user facing redirect (302), this call is only available in a browser, and must be called in a synchronous (non-XHR) manner.
You are using
fetch
-- just use a regular form POST (as in done in the demo code link above).
Thank you, the postForm worked. Yeah sorry, I read that documentation, but i didnt understand what non-XHR manner meant and didnt think to check it up.
My use case is that I want to use allauth to help me authenticate with Discord and Google, i dont want my own users stored locally.
Previously i had this working using a form, but seeing i could simplify this with headless, i went for it.
HTML
JS
settings.py (relevant stuff)
Here is what happens
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://discord.com/api/oauth2/authorize?client_id=1054551832501960765&redirect_uri=http%3A%2F%2F127.0.0.1%3A8000%2Faccount%2Fdiscord%2Flogin%2Fcallback%2F&scope=identify+email&response_type=code&state=O0vEMIUD4X5B0wdI. (Reason: header ‘x-csrftoken’ is not allowed according to header ‘Access-Control-Allow-Headers’ from CORS preflight response).
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://discord.com/api/oauth2/authorize?client_id=1054551832501960765&redirect_uri=http%3A%2F%2F127.0.0.1%3A8000%2Faccount%2Fdiscord%2Flogin%2Fcallback%2F&scope=identify+email&response_type=code&state=O0vEMIUD4X5B0wdI. (Reason: CORS request did not succeed). Status code: (null).