英文:
Vue Django app Forbidden (CSRF cookie not set.): 403 Forbidden
问题
I suppose this would actually be a django question as I think there's something wrong with the backend. I have my Vue code in frontend/ (127.0.0.1:8080) and django code in backend/ (127.0.0.1:8000). I've followed the django docs on CORS and CSRF Tokens but I get Forbidden (CSRF cookie not set.): when trying to make a post request to the django server. I'm trying to reset password via email.
backend/settings.py:
...CORS_ALLOW_ALL_ORIGINS = True # If this is used then `CORS_ALLOWED_ORIGINS` will not have any effectCORS_ALLOW_CREDENTIALS = TrueCSRF_TRUSTED_ORIGINS = ['http://127.0.0.1:8080',]CORS_ALLOWED_ORIGINS = ['http://127.0.0.1:8080',]# SESSION_COOKIE_SAMESITE = 'None'# CORS_ALLOW_CREDENTIALS = TrueEMAIL_BACKEND = 'django.core.mail.backends.filebased.EmailBackend'EMAIL_FILE_DIR = BASE_DIR / 'emails'...# Application definitionINSTALLED_APPS = ['django.contrib.admin','django.contrib.auth','django.contrib.contenttypes','django.contrib.sessions','django.contrib.messages','django.contrib.staticfiles','rest_framework','rest_framework.authtoken','corsheaders','djoser','product','order','email_app']MIDDLEWARE = ['django.middleware.security.SecurityMiddleware','django.contrib.sessions.middleware.SessionMiddleware','corsheaders.middleware.CorsMiddleware','django.middleware.common.CommonMiddleware','django.middleware.csrf.CsrfViewMiddleware','django.contrib.auth.middleware.AuthenticationMiddleware','django.contrib.messages.middleware.MessageMiddleware','django.middleware.clickjacking.XFrameOptionsMiddleware',]...
backend/urls.py:
urlpatterns = [path('admin/', admin.site.urls),path('api/v1/', include('djoser.urls')),path('api/v1/', include('djoser.urls.authtoken')),path('api/v1/', include('product.urls')),path('api/v1/', include('order.urls')),path('api/v1/', include('email_app.urls'))] + static(settings.MEDIA_URL, document_root=settings.MEDIA_ROOT)
backend/email_app/urls.py:
from django.urls import pathfrom email_app import viewsurlpatterns = [path('reset_password/', views.reset_password),]
backend/email_app/views.py:
from rest_framework.decorators import api_viewfrom django.core.mail import send_mailfrom django.contrib.auth.models import Userfrom rest_framework.authtoken.models import Tokenfrom django.template.loader import render_to_stringfrom rest_framework.response import Responsefrom rest_framework import statusfrom django.middleware.csrf import get_tokenfrom django.views.decorators.csrf import csrf_protectfrom rest_framework import statusfrom rest_framework.decorators import api_viewfrom .serializers import ResetPasswordEmail@api_view(['POST', 'GET'])@csrf_protectdef reset_password(request):if request.method == "POST":serializer = ResetPasswordEmail(data=request.data)if serializer.is_valid():# get the email from Front-Endemail = serializer.validated_data['email']# find the user that has that emailuser = User.objects.get(email=email)# get the token of that usertoken = Token.objects.get(user=user)if user:# pass the context of things above to send them in an emailcontext = {'email': email,'username': user,'token': token}send_mail('d-commerce Password Reset',render_to_string('emails/reset_password.txt', context),'D-COMMERCE and No Reply',[email],fail_silently=False,auth_user=None, auth_password=None, connection=None, html_message=None)serializer.save(token=token, slug=token)return Response(serializer.data, status=status.HTTP_201_CREATED)return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)...
For vue I use:
...// using jQuerygetCookie(name) {var cookieValue = null;if (document.cookie && document.cookie !== '') {var cookies = document.cookie.split(';');for (var i = 0; i < cookies.length; i++) {var cookie = jQuery.trim(cookies[i]);// Does this cookie string begin with the name we want?if (cookie.substring(0, name.length + 1) === (name + '=')) {cookieValue = decodeURIComponent(cookie.substring(name.length + 1));break;}}}return cookieValue;}...
and using axios to send the request:
...const csrftoken = this.getCookie('csrftoken');axios.defaults.headers.common['X-Requested-With'] = 'XMLHttpRequest';axios.defaults.headers.common['X-CSRFToken'] = csrftoken;axios.post("/api/v1/reset_password/", formData).then(response => {toast({message: 'If you have an account with us,please check your email for the link!',type: 'is-success',dismissible: true,pauseOnHover: true,position: 'bottom-right',})})...
英文:
I suppose this would actually be a django question as I think there's something wrong with the backend. I have my Vue code in frontend/ (127.0.0.1:8080) and django code in backend/ (127.0.0.1:8000). I've followed the django docs on CORS and CSRF Tokens but I get Forbidden (CSRF cookie not set.): when trying to make a post request to the django server. I'm trying to reset password via email.
backend/settings.py
...CORS_ALLOW_ALL_ORIGINS = True # If this is used then `CORS_ALLOWED_ORIGINS` will not have any effectCORS_ALLOW_CREDENTIALS = TrueCSRF_TRUSTED_ORIGINS = ['http://127.0.0.1:8080',]CORS_ALLOWED_ORIGINS = ['http://127.0.0.1:8080',]# SESSION_COOKIE_SAMESITE = 'None'# CORS_ALLOW_CREDENTIALS = TrueEMAIL_BACKEND = 'django.core.mail.backends.filebased.EmailBackend'EMAIL_FILE_DIR = BASE_DIR / 'emails'# Application definitionINSTALLED_APPS = ['django.contrib.admin','django.contrib.auth','django.contrib.contenttypes','django.contrib.sessions','django.contrib.messages','django.contrib.staticfiles','rest_framework','rest_framework.authtoken','corsheaders','djoser','product','order','email_app']MIDDLEWARE = ['django.middleware.security.SecurityMiddleware','django.contrib.sessions.middleware.SessionMiddleware','corsheaders.middleware.CorsMiddleware','django.middleware.common.CommonMiddleware','django.middleware.csrf.CsrfViewMiddleware','django.contrib.auth.middleware.AuthenticationMiddleware','django.contrib.messages.middleware.MessageMiddleware','django.middleware.clickjacking.XFrameOptionsMiddleware',]...
backend/urls.py:
urlpatterns = [path('admin/', admin.site.urls),path('api/v1/', include('djoser.urls')),path('api/v1/', include('djoser.urls.authtoken')),path('api/v1/', include('product.urls')),path('api/v1/', include('order.urls')),path('api/v1/', include('email_app.urls'))] + static(settings.MEDIA_URL, document_root=settings.MEDIA_ROOT)
backend/email_app/urls.py:
from django.urls import pathfrom email_app import viewsurlpatterns = [path('reset_password/', views.reset_password),]
backend/email_app/views.py:
from rest_framework.decorators import api_viewfrom django.core.mail import send_mailfrom django.contrib.auth.models import Userfrom rest_framework.authtoken.models import Tokenfrom django.template.loader import render_to_stringfrom rest_framework.response import Responsefrom rest_framework import statusfrom django.middleware.csrf import get_tokenfrom django.views.decorators.csrf import csrf_protectfrom rest_framework import statusfrom rest_framework.decorators import api_viewfrom .serializers import ResetPasswordEmail@api_view(['POST', 'GET'])@csrf_protectdef reset_password(request):if request.method == "POST":serializer = ResetPasswordEmail(data=request.data)if serializer.is_valid():# get the email from Front-Endemail = serializer.validated_data['email']# find the user that has that emailuser = User.objects.get(email=email)# get the token of that usertoken = Token.objects.get(user=user)if user:# pass the context of things above to send them in an emailcontext = {'email': email,'username': user,'token': token}send_mail('d-commerce Password Reset',render_to_string('emails/reset_password.txt', context),'D-COMMERCE and No Reply',[email],fail_silently=False,auth_user=None, auth_password=None, connection=None, html_message=None)serializer.save(token=token, slug=token)return Response(serializer.data, status=status.HTTP_201_CREATED)return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)...
For vue I use:
...// using jQuerygetCookie(name) {var cookieValue = null;if (document.cookie && document.cookie !== '') {var cookies = document.cookie.split(';');for (var i = 0; i < cookies.length; i++) {var cookie = jQuery.trim(cookies[i]);// Does this cookie string begin with the name we want?if (cookie.substring(0, name.length + 1) === (name + '=')) {cookieValue = decodeURIComponent(cookie.substring(name.length + 1));break;}}}return cookieValue;}...
and using axios to send the request:
...const csrftoken = this.getCookie('csrftoken');axios.defaults.headers.common['X-Requested-With'] = 'XMLHttpRequest';axios.defaults.headers.common['X-CSRFToken'] = csrftoken;axios.post("/api/v1/reset_password/", formData).then(response => {toast({message: 'If you have an account with us,please check your email for the link!',type: 'is-success',dismissible: true,pauseOnHover: true,position: 'bottom-right',})})...
答案1
得分: 0
这似乎是修复的方法,我添加了 withCredentials = true 并设置了头部如下:
axios.defaults.withCredentials = true;axios.defaults.headers.common = {'X-Requested-With': 'XMLHttpRequest','X-CSRFToken' : this.getCookie('csrftoken')};
英文:
Ok so this seems to be the fix, I added withCredentials = true and set the headers like this:
axios.defaults.withCredentials = true;axios.defaults.headers.common = {'X-Requested-With': 'XMLHttpRequest','X-CSRFToken' : this.getCookie('csrftoken')};
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论