I didn't realize this before deployment because it doesn't check this in the development environment (whoops). I figured this out when trying to make an ImageryRequest for the first time on the deployed version and got 403 Forbidden.
The CSRF token is how Django-REST secures apps using SessionAuthentication. There are three options: SessionAuthentication, TokenAuthentication, and OAuth2.0.
We're using OAuth2.0 to secure our app, but we're doing it through a dependency called social-auth, not through Django-REST's built in stuff. But we have to choose one of the auth options in Django-REST even if we're handling our own auth, so SessionAuthentication was selected, and it doesn't realize we're doing our own auth.
This PR disables the csrf check for the ImageryRequest endpoint.
Django-REST enables CSRF checking by default
I didn't realize this before deployment because it doesn't check this in the development environment (whoops). I figured this out when trying to make an ImageryRequest for the first time on the deployed version and got 403 Forbidden.
The CSRF token is how Django-REST secures apps using SessionAuthentication. There are three options: SessionAuthentication, TokenAuthentication, and OAuth2.0.
We're using OAuth2.0 to secure our app, but we're doing it through a dependency called
social-auth, not through Django-REST's built in stuff. But we have to choose one of the auth options in Django-REST even if we're handling our own auth, so SessionAuthentication was selected, and it doesn't realize we're doing our own auth.This PR disables the csrf check for the ImageryRequest endpoint.