[BUG] Combining JWTAuth with django_auth only works in that order

[bastiaan85]

Describe the bug When combining JWTAuth from django-jwt-auth with django_auth, if the latter precedes the former in the auth=[] parameter, calls using Bearer auth fail on "detail: CSRF check Failed". When inverting the order, both work.

    api = NinjaExtraAPI(
    title="My API",
    csrf=False,
    docs=Swagger(),
    docs_decorator=login_required,
    docs_url="/swagger",
    auth=[JWTAuth(), django_auth],  # working
    renderer=ORJSONRenderer(),
    urls_namespace="api",
)

while auth= [django_auth,JWTAuth()] generates the csrf error.

Versions (please complete the following information):

• Python version: 3.12.2
• Django version: 5.0.4
• Django-Ninja version: 1.1.0
• Django-Ninja-JWT version: 5.3.0
• Pydantic version: 2.64

[AndrewGrossman]

+1. I also encountered this, Python 3.12.2, Django 5.0.6, Django-Ninja 1.1.0.

import logging

from django.conf import settings
from ninja.security import HttpBearer
from ninja.security import django_auth_superuser

class AuthBearer(HttpBearer):
    def authenticate(self, request, token):
        if token in settings.ALLOWED_API_BEARER_TOKENS:
            return token

        if not settings.IS_DEPLOYED:
            logging.info("Bypassing bearer token check for non-deployed environment")
            return "not-deployed"

        return None

default_auth = [django_auth_superuser, AuthBearer()]

The above auth defined on my API gives CSRF issues, even if the target endpoint is marked as csrf_exempt. Flipping the auth order as @bastiaan85 did seems to solve the issue for me.

[marcotm]

+1. Using django_auth and HttpBearer auth together leads to CSRF issues when django_auth is first in the list. It works (and seems to correctly check for the token) when django_auth comes after the others. Using Django-Ninja 1.3.0.