I am fairly new to Django so sorry if this is a silly question:
When I try to send the request through postman I receive this 403 error:
{ "detail": "CSRF Failed: CSRF token missing or incorrect." }
I have also tried adding it to the params section as well in postman, resulting in the same error.
However, when using the curl command, I receive the correct response:
curl -X POST -d "grant_type=convert_token&client_id=r29GLakM6OZ7c4Zg2cwuSXR7M1jiQHIEEMLvtbWA&client_secret=S2xKO81zzYBUTdxM14QiQWb63jnNvPLIcqDTrN9HIYj7t7ldfuCQFWoziWF6h88OgsMUCUNI6HbhIxZQ8ScPFWUWVcJNjaZspbGkDK1j9SsRYJi9uW6DhTr0A9QKvyOZ&backend=facebook&token=EAAY5l4TWgr4BAMjficP4mPKqlbVwVRXI0Xs5GLXSN97sMyKe3muElrkpXRcxJkiZCMzC7tfZBfT4Cci52Pk6Bb2GQm2BARm23tsJoaViOovmvZABlGlJPPZCJ9OecYvfEinUOBaDeBugiDv614yUzOAIfyE0lfZCAX8YAbYyxnlqYYtmS6ywH" http://localhost:8000/api/social/convert-token
What am I doing wrong?
Edit: I am using the django-rest-framework-social-oauth2 and following a tutorial online which did not require passing in any other token in the X-CSRFToken header field.
My problem was a cookie issue with postman. I deleted the cookies off chrome and disabled the interceptor on postman. It would store and use the previous sessions CSRF token instead of generating a new one.
Related
i have problem for running postman POST using python code.
first i generate python code from fiddler, i capture when i running postman POST from website.
Capture with fiddler
and then the problem is here, the bearer token only work 5-15minutes, after that i got response 401, because bearer token is expired.
Python Code for running my postman
so i want to change the Bearer token to basic auth ( use my user and password of my postman acc)
i already try change Authorization value to apikey and base64encode(user:pass) still not working.
please who experince in this , help my case, thanks.
I am trying to use Python requests to log into amazon.se. To do so, I first make a GET request to one of the pages, get redirected to the sign-in page, and make a POST request using the data from the login form + my credentials.
The problem is that in response I get the sign-in page with the following error:
I am of course sure that both the email and password are valid, but the login process still fails in both Python and Postman. I tried to compare the browser requests to my manufactured ones, and they seem almost identical except for me missing a couple of what I believe are non-essential headers. Nevertheless, there must be something going on behind the scenes that I am missing.
Postman POST request
Headers:
Body (form data from previous GET request):
Browser POST request
Headers:
Body:
Context
I'm migrating to Google's new auth solution that doesn't require 3rd party cookies using the following guide:
My app is a frontend built in Vue.js and a backend in Python (Flask).
Problem
Once I receive the Authorization token from Google (looks something like 4/0AdQt...bg), I'm unable to exchange it for a refresh & access token.
For Python, the official Google documentation only shows an example that uses Flask (using the Flow object) to request the token and verify it.
I've tried to build a simple POST request with postman
import requests
url = "https://oauth2.googleapis.com/token"
payload='code=4%2F...bg&client_id=92...cac42tg.apps.googleusercontent.com&client_secret=hw...u8D&redirect_uri=https%3A%2F%2Fco...pp&grant_type=authorization_code'
headers = {
'Content-Type': 'application/x-www-form-urlencoded'
}
response = requests.request("POST", url, headers=headers, data=payload)
print(response.text)
But I get the following unhelpful 400 Bad Request response
{
"error": "invalid_grant",
"error_description": "Bad Request"
}
I tried to change the different form parameters and got different errors (The OAuth client was not found., Unauthorized, invalid_request, ...) so most likely the error is in the actual code.
If anyone has faced a similar issue, I'd love some help!
While requesting http://www.sonyliv.com/api/v2/vod/search API, I am getting "Invalid csrf token" message in chrome postman.
{
"code": "403",
"name": "Bad Request",
"message": "Invalid csrf token"
}
When I look to Chrome Inspect Element > Network tab in Headers section, I found
"X-XSRF-TOKEN:tGXcHOmy-ro-GQfTestDSAp8EINq85dwHpdU"
as a token but this token is changed in every session, how can i pass X-XSRF-TOKEN value in my request to get the required result.
Please Help.
The idea of the CSRF tokens is that you can't call an API service if you're not doing it from the expected form, that's why it always changes its value.
I'm guessing you're trying to use that API not officially... so what you could try is to GET the base website and store in a cookie jar all the cookies it sends you and then try to query the search endpoint.
That way your request will include the XSRF token and the rest of the cookies and hopefully the server will think you request is legit.
Hope it helps
I'm using both Appcelerator Titanium and Python's Django to create a mobile app. As you might have guessed, Django is being used for the back-end. At the moment I'm trying to create a login form which requires a CSRF token to accept the data correctly. I'm trying to retrieve the CSRF token from Django, but I've tried and failed, and Google doesn't have any answers for me.
The problem is normally you'd get an HTML page with a CSRF token included in the form and just send it. What I'm trying to do now is send a POST without knowing the CSRF. In appcelerator, I've tried running
HTTPSession.open(GET, *url*)
token = HTTPSession.getRecievedHeaders("X-CSRF-TOKEN")
HTTPSession.open(POST, *url)
HTTPSession.getRecievedHeaders("X-CSRF-TOKEN", token)
HTTPSession.send(data)
But this doesn't work because of how Titanium works. So how can I get the token? Do I need to create a specific url just to create a session and display a CSRF token? I'm just worried that once I've recieved the token, I'll need to reconnect to the server and the token will have changed.
During my Googling, I found that Drupal has a function for this at the url: services/session/token
Is there an equivillant for this in Django? Or do I need to create my own page showing just a CSRF token?
If you are using Titanium for app creation you can use SetRequestHeader for setting the token with the request.
Hope it helps.
I needed to create my own function in Django to achieve this, but I finally got it working!
function getCSRF() {
var csrfHTTP = Ti.Network.createHTTPClient({
onload : function() {
Ti.App.Properties.setString("csrf", this.responseText);
}
});
csrfHTTP.open("GET", "http://website.com/api/csrftoken/");
csrfHTTP.send();
}
Then retrieve it via
Ti.App.Properties.getString("csrf")
and use it:
loginHTTP.setRequestHeader("X-CSRFToken", Ti.App.Properties.getString("csrf"));
Connecting to the website once creates a session in Django also creating a csrf token for that specific IP to use so you can retrieve it multiple times if needed