Django CSRF Failed: CSRF token missing or incorrect

Question

I'm using Django Rest Framework and also django-rest-auth.

I've the standard API endpoints (/login, /logout, /registration...)

With my browser, I can login/list my users/logout. With Insomnia (a API requester), I can't login/logout, I've the error

"CSRF Failed: CSRF token missing or incorrect"

Maybe I need to add the CSRF header, but honestly I don't know where to find this CSRF token... Maybe I need to add some things (@csrf_protect ?) to login endpoint, but am I forced to rewrite completely the default view ?

Answer 1

Solution

You need to set the X-CSRFToken in the Header settings of Insomnia (https://support.insomnia.rest/article/49-cookies ).

1. Go to Header Settings in Insomnia
2. Add a new entry X-CSRFToken
3. Search vor cookie, click on Request => Cookie
4. Click again on Request => Cookie
5. Type csrftoken into Cookie Name
6. Click Done

and try it again.

Explanation

The CSRF Token is set by Django in the cookie. This is done within the first request to the server. Then the value of the cookie is send back to the server within the heaader as X-CSRF-Token.

You can see whats going on in the debugger of your browser (F12 in Chrome)

1. csrftoken Cookie is set

2. csrftoken is send back as X-CSRF-Token to the server within the Request Header

Answer 2

Mentioning as an answer rather than a comment because of low reputation.

Adding an entry named X-CSRFTOKEN works. But for that to work, make sure you have some urls which don't require csrftoken and make a request. The solution will only work after making a successful request to the API, or else Insomnia doesn't get the token from the server and No cookies in store for URL error will appear.