我为什么在使用DRF和rest_framework_api_key进行POST时收到403错误?

huangapple go评论71阅读模式
英文:

Why am I getting 403 for POST with DRF and rest_framework_api_key?

问题

I am getting a 403 response from the server in my new Django app. It is very simple. I don't even have models, I just want to return an audio file, but I want to do it through an API. Because of that, since I am not going to have users, I need an API key, and I found that I can use the Django REST framework and the REST framework API key modules. I have followed the quickstarts and can't seem to get a response. It was working before, but it was authenticating through CSRF, and like I said, it is going to be an API, so I won't have CSRF cookies.

Here is the view I am using:

@api_view(["POST"])
def tts_view(request):
  data = request.POST

  voice_name = data.get("voice_name")
  text = data.get("text")

  if not voice_name or not text:
    return JsonResponse({"error": "Missing voice_name or text"}, status=400)

  return JsonResponse({"wav": text_to_wav(voice_name, text)}, status=200, safe=False)

The settings:

INSTALLED_APPS = [
    'django.contrib.admin',
    'django.contrib.auth',
    'django.contrib.contenttypes',
    'django.contrib.sessions',
    'django.contrib.messages',
    'django.contrib.staticfiles',
    'rest_framework',
    'rest_framework_api_key',
    'TTS',
]

MIDDLEWARE = [
    'django.middleware.security.SecurityMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
]

REST_FRAMEWORK = {
    "DEFAULT_PERMISSION_CLASSES": [
        "rest_framework_api_key.permissions.HasAPIKey",
    ]
}

And the fetch (the API key is just a test, so it doesn't matter):

fetch('/create-speech', {
    method: 'POST',
    body: JSON.stringify({
        voice_name: "es-US-Neural2-B",
        text: "Estoy feliz"
    }),
    headers: { 
        'Authorization': '0tSMNivu.f8DOBrHTTKfMQBGANNbjl5BJQcswN9ay',
        'Content-Type': 'application/json'
    }
})
.then((resp) => {
    if (!resp.ok) throw Error(`${resp.statusText} - ${resp.status}`);
	return resp.json();
})
.then((wav) => {
    console.log('success');
});

I am doing the fetch in the console on the default page, which is not defined (like I said, I only want an API).

I have tried including rest_framework.permissions.AllowAny into DEFAULT_PERMISSION_CLASSES, but it doesn't work either.

I don't really know what else to do, so any help would be appreciated. Thanks!

英文:

I am getting a 403 response from the server in my new Django app. It is very simple. I don't even have models, I just want to return an audio file, but I want to do it through an API. Because of that, since I am not going to have users, I need an API key, and I found that I can use the Django REST framework and the REST framework API key modules. I have followed the quickstarts and can't seem to get a response. It was working before, but it was authenticating through CSRF, and like I said, it is going to be an API, so I won't have CSRF cookies.

Here is the view I am using:

@api_view(["POST"])
def tts_view(request):
  data = request.POST

  voice_name = data.get("voice_name")
  text = data.get("text")

  if not voice_name or not text:
    return JsonResponse({"error": "Missing voice_name or text"}, status=400)

  return JsonResponse({"wav": text_to_wav(voice_name, text)}, status=200, safe=False)

The settings:

INSTALLED_APPS = [
    'django.contrib.admin',
    'django.contrib.auth',
    'django.contrib.contenttypes',
    'django.contrib.sessions',
    'django.contrib.messages',
    'django.contrib.staticfiles',
    'rest_framework',
    'rest_framework_api_key',
    'TTS',
]

MIDDLEWARE = [
    'django.middleware.security.SecurityMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
]

REST_FRAMEWORK = {
    "DEFAULT_PERMISSION_CLASSES": [
        "rest_framework_api_key.permissions.HasAPIKey",
    ]
}

And the fetch (the API key is just a test, so it doesn't matter):

fetch('/create-speech', {
    method: 'POST',
    body: JSON.stringify({
        voice_name: "es-US-Neural2-B",
        text: "Estoy feliz"
    }),
    headers: { 
        'Authorization': '0tSMNivu.f8DOBrHTTKfMQBGANNbjl5BJQcswN9ay',
        'Content-Type': 'application/json'
    }
})
.then((resp) => {
    if (!resp.ok) throw Error(`${resp.statusText} - ${resp.status}`);
	return resp.json();
})
.then((wav) => {
    console.log('success');
});

I am doing the fetch in the console on the default page, which is not defined (like I said, I only want an API).

I have tried including rest_framework.permissions.AllowAny into DEFAULT_PERMISSION_CLASSES, but it doesn't work either.

I don't really know what else to do, so any help would be appreciated. Thanks!

答案1

得分: 1

来自Django REST Framework API Key文档

默认情况下,客户端必须通过Authorization头传递其API密钥。它必须按照以下格式进行格式化:

Authorization: Api-Key <API_KEY>

你漏掉了Api-Key 部分(注意它与<API_KEY>部分之间的空格)。因此,你的请求应该是:

fetch('/create-speech', {
    ...
    headers: {
        'Authorization': 'Api-Key 0tSMNivu.f8DOBrHTTKfMQBGANNbjl5BJQcswN9ay',
        'Content-Type': 'application/json'
    }
})
...
英文:

From the Django REST Framework API Key docs:

> By default, clients must pass their API key via the Authorization header. It must be formatted as follows:
>
> Authorization: Api-Key &lt;API_KEY&gt;

You're missing the Api-Key part (notice the space between it and the &lt;API_KEY&gt; part). So your request should be:

fetch(&#39;/create-speech&#39;, {
    ...
    headers: {
        &#39;Authorization&#39;: &#39;Api-Key 0tSMNivu.f8DOBrHTTKfMQBGANNbjl5BJQcswN9ay&#39;,
        &#39;Content-Type&#39;: &#39;application/json&#39;
    }
})
...

答案2

得分: 0

你应该添加一个CSRF例外权限类或装饰器,例如:

from django.views.decorators.csrf import csrf_exempt

并且在你的API视图声明之前添加:

@api_view(["POST"])
@csrf_exempt
def tts_view(request):

有了这个,只要在API调用的标头中传递您的DRF API令牌,如下所示:

Authorization: Token token_string

就应该足够了。

英文:

You should add a CSRF exemption permission class or decorator, e.g.:

from django.views.decorators.csrf import csrf_exempt

and above your API view declaration:

@api_view([&quot;POST&quot;])
@csrf_exempt
def tts_view(request):

With this, ensuring that you pass in your DRF API token in headers in your API call as
Authorization: Token token_string
should suffice.

huangapple
  • 本文由 发表于 2023年4月20日 01:46:15
  • 转载请务必保留本文链接:https://go.coder-hub.com/76057447.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定