Forbidden (CSRF cookie not set.)

[1beb]

Using a vuejs front-end that is separate from the DRF backend. After fixing cors with django-cors-headers can't seem to send a POST request without getting a forbidden message.

How could I go about csrf_exempt(ing) the views in this case?

Another auth back-end (drf_social_auth) uses csrfExcemption mixins on their views to avoid this problem.

[Plonq]

~I had the same problem. It doesn't make sense to me that this library explicitly protects the view with CSRF: https://github.com/st4lk/django-rest-social-auth/blame/master/rest_social_auth/views.py#L255~

~There is no CSRF token set if the user isn't logged in. And if the user is already logged in, why do they need social auth? I feel like I must be missing something?~

EDIT: I realised this was just due to Django not always including the CSRF cookie, and it can be forced by using ensure_csrf_cookie. This means the below workaround is not needed.

Here's the workaround if you cannot use CSRF:

class CustomSocialView(SocialSessionAuthView):
    @method_decorator(csrf_exempt)
    def post(self, request, *args, **kwargs):
        # Note we cannot just call super() here because SocialSessionAuthView.post is protected by csrf explicitly
        return super(SocialSessionAuthView, self).post(request, *args, **kwargs)