英文:
Django back + react front 403 forbidden on logout function although changed permissions to AllowAny
问题
尝试使用Django REST API + React创建一个简单的Web服务。在获取API时,我使用了CORS和绝对路径,同时我还使用了会话认证。除了注销功能之外,一切都运行正常。以下是我的Django views.py文件中的注销函数:
from rest_framework.request import Requestfrom rest_framework.response import Responsefrom rest_framework.decorators import api_view, permission_classes, authentication_classesfrom rest_framework.permissions import IsAuthenticated, AllowAnyfrom rest_framework.authentication import SessionAuthenticationfrom core.serializers import UserSerializer, LoginRequestSerializer, iPadSerializerfrom core.models import iPadfrom rest_framework import status, viewsets, genericsfrom django.http import JsonResponsefrom django.contrib.auth import authenticate, login, logout@api_view(['POST'])@permission_classes([AllowAny])def logout_view(request):logout(request)return Response(status=status.HTTP_200_OK)
这是我的React中的handleLogout函数:
const handleLogout = () => {setLoading(true);fetch('http://localhost:8000/api/logout', {credentials: 'include',method: 'POST',headers: {'Content-Type': 'application/json;charset=utf-8','X-CSRFToken': csrftoken,},}).then((response) => {if (response.ok) {setIsLoggedIn(false);setError(null);} else {throw Error(`Something went wrong: code ${response.status}`);}}).catch((error) => {console.log(error);setError('Ошибка при выходе');}).finally(() => setLoading(false));};
我认为问题可能出在我的CORS设置上,但是奇怪的是,其他的fetch请求都正常工作。这是我的CORS设置,但它仍然不起作用:
CORS_ALLOW_CREDENTIALS = TrueCORS_ALLOWED_ORIGINS = ['http://localhost:3000','http://127.0.0.1:3000',]CORS_ALLOW_METHODS = ["DELETE","GET","OPTIONS","PATCH","POST","PUT",]CORS_ALLOW_HEADERS = ["accept","accept-encoding","authorization","content-type","dnt","origin","user-agent","x-csrftoken","x-requested-with",]
我有一个handleLogin函数,它在React端的操作方式完全相同,而且它运行得非常顺畅。另外,如果我将代理更改为127.0.0.1:8000并停止使用绝对URL(使用/api/logout而不是http:...),它也可以正常工作。因此,我仍然认为问题出在我的CORS设置上。对不起我的英文不太好,希望这可以帮助你解决问题。<3
英文:
Trying to do a simple web service using django rest api + react. I'm using CORS and absolute path when fetching API. Also i'm using session auth. Everything works fine except my logout function. That's how it looks django views.py:
`from rest_framework.request import Requestfrom rest_framework.response import Responsefrom rest_framework.decorators import api_view, permission_classes, authentication_classesfrom rest_framework.permissions import IsAuthenticated, AllowAnyfrom rest_framework.authentication import SessionAuthenticationfrom core.serializers import UserSerializer, LoginRequestSerializer, iPadSerializerfrom core.models import iPadfrom rest_framework import status, viewsets, genericsfrom django.http import JsonResponsefrom django.contrib.auth import authenticate, login, logout@api_view(['POST'])@permission_classes([AllowAny])def logout_view(request):logout(request)return Response(status=status.HTTP_200_OK)`
And that's how my react handleLogout looks:
const handleLogout = () => {setLoading(true);fetch('http://localhost:8000/api/logout', {credentials: 'include',method: 'POST',headers: {'Content-Type': 'application/json;charset=utf-8','X-CSRFToken': csrftoken,},}).then((response) => {if (response.ok) {setIsLoggedIn(false);setError(null);} else {throw Error(`Something went wrong: code ${response.status}`);}}).catch((error) => {console.log(error);setError('Ошибка при выходе');}).finally(() => setLoading(false));};
I thought that problem is my CORS settings, bul strangely every other fetch works fine. That's my CORS settings and it's still don't work:
CORS_ALLOW_CREDENTIALS = TrueCORS_ALLOWED_ORIGINS = ['http://localhost:3000','http://127.0.0.1:3000',]CORS_ALLOW_METHODS = ["DELETE","GET","OPTIONS","PATCH","POST","PUT",]CORS_ALLOW_HEADERS = ["accept","accept-encoding","authorization","content-type","dnt","origin","user-agent","x-csrftoken","x-requested-with",]
I have handleLogin which works exactly the same on react side and it works flawlessly. Also if i change my proxy to 127.0.0.1:8000 and stop using absolute urls (/api/logout instead of http:...) it works just fine, so i still think that problem is my CORS.Sry for my poor english <3
答案1
得分: 1
当您注销http_method_name中的@api_view装饰器是['GET']。
更改为:
@api_view(['POST'])
改为:
@api_view(["GET"])
并且在logout_view函数中,您需要删除用户的令牌,以便他不再被验证,类似于:request.user.auth_token.delete()。
英文:
When you log out the http_method_name in the @api_view decorator is ['GET']
change :
@api_view(['POST'])
to :
@api_view(["GET"])
and in the logout_view function, you have to delete the Token for the user so he will no longer be authenticated . something like : request.user.auth_token.delete()
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论