I have a Django application in which I want to get a page from my own website, and mimic a client side request by passing the request's headers and cookies.
middleware.py
r = requests.get('https://google.com', None, headers=request.META, cookies=request.COOKIES)
However, I noticed that in Django the request.META is capitalized and uses underscores instead of hyphens. While request.COOKIES returns empty, which leads me to believe they don't show up in middleware?
Am I missing something, this seems to be quite a downer since requests is such a popular library and Django is such a popular framework.
Are you sure you have set the cookie properly? I have tested this with a small piece of custom middleware and request.COOKIES had the cookie present. Here was my view:
def test(request):
response = HttpResponse('test')
response.set_cookie('foo', 'bar')
return response
Then, after setting a breakpoint with ipdb in my custom middleware:
class MyMiddleware(object):
def process_request(self, request):
import ipdb; ipdb.set_trace()
I could see the set cookie just fine:
ipdb> request.COOKIES
{'foo': 'bar'}
Related
How to redirect url from middleware?
Infinite loop problem.
I intend to redirect the user to a client registration url if the registration has not yet been completed.
def check_user_active(get_response):
def middleware(request):
response = get_response(request)
try:
print(Cliente.objects.get(usuario_id=request.user.id))
except Cliente.DoesNotExist:
return redirect('confirm')
return response
return middleware
Every request to server goes through Middleware. Hence, when you are going to confirm page, the request goes through middleware again. So its better put some condition here so that it ignores confirm url. You can try like this:
def check_user_active(get_response):
def middleware(request):
response = get_response(request)
if not request.path == "confirm":
try:
print(Cliente.objects.get(usuario_id=request.user.id))
except Cliente.DoesNotExist:
return redirect('confirm')
return response
return middleware
You should be using a login_required like decorator see Django authentication system for more detail.
Example:
from django.contrib.auth.decorators import login_required
#login_required(login_url="/your/login/view/url/")
def my_view(request):
...
Avoid using middlewares for any kind of redirection always you can, according to the docs
Middleware is a framework of hooks into Django’s request/response processing. It’s a light, low-level “plugin” system for globally altering Django’s input or output.
In other words, middlewares are there for processing request and responses, if you redirect to any view, you will (potentially) recursively trigger your middleware.
And, on the other hand ...
In the future, you might want to add a view that can be visited by anonymous users, this middleware will be a problem ...
I'm using Django 1.6 and python 3.3.
I'm trying to test POST form with django test client, and it receives 403 after sending request. If I add #csrf_exempt at my view method, everything works perfect.
But the Django documentation says that it should work with enabled csrf protection fine:
For this reason, Django’s HTTP client for tests has been modified to set a flag on requests which relaxes the middleware and the csrf_protect decorator so that they no longer rejects requests.
Here is my test code:
def testSimple(self):
c = Client('Chrome 1.0')
from partners.views import cashier
response = c.post(reverse(cashier.simple), {'x': 123})
self.assertContains(response,'html')
And here is a view:
def simple(request):
return render(request, 'partners/cashier/index.html')
And when I run this test I see:
AssertionError: 403 != 200
So, can you please tell me what I'm doing wrong?
Client() has the following __init__:
def __init__(self, enforce_csrf_checks=False, **defaults):
You're setting enforce_csrf_checks to True b/c 'Chrome 1.0' evaluates to truthy!
If you want to set the user agent:
c = Client(HTTP_USER_AGENT='Mozilla/5.0')
I am using the django rest framework to perform API calls via IOS
and I get the following error
"CSRF Failed: CSRF cookie not set."
Here's my django API code:
class LoginView(APIView):
"""
List all snippets, or create a new snippet.
"""
#csrf_exempt
def get(self, request, format=None):
startups = Startup.objects.all()
serializer = StartupSerializer(startups, many=True)
return Response(serializer.data)
#csrf_exempt
def post(self, request, format=None):
profile = request.POST
....
What can I do?
If anyone is still following this question, the direct answer is that you need to use the decorator on the view method itself. The get and post methods defined on the APIView class just tell DRF how the actual view should behave, but the view method that the django router expects is not actually instantiated until you call LoginView.as_view().
Thus, the solution is to add the csrf_exempt decorator to urls.py. It might look as follows:
#file: urls.py
from django.conf.urls import patterns, url
from django.views.decorators.csrf import csrf_exempt
import views
urlpatterns = patterns('',
url('^login/$', csrf_exempt(views.LoginView.as_view())),
...
)
However, as Mark points out above, csrf protection is important to prevent your sessions from being hijacked. I haven't worked with iOS myself, but I would look into using django's cookie-based csrf tokens. You can use the ensure_csrf_cookie decorator to make django send a csrftoken cookie with a response, and your POST requests will validate as long as you include that token as an X-CSRFToken header.
I've had the same issue. My problem was that I forgot to put .as_view() in urls.py on MyAPIView. So it have to be like:
url(r'$', GetLikesAPI.as_view(), name='list')
not:
url(r'$', GetLikesAPI, name='list')
The problem you encounter here is that django for processing your view is using whatever as_view() method will return, not directly method get() or post().
Therefore you should decorate your class-based view in one of following ways:
In urls.py
urlpatterns = patterns('',
url('^login/$', csrf_exempt(views.LoginView.as_view())),
...
)
or on dispatch() method (pre django 1.9)
from django.utils.decorators import method_decorator
class LoginView(APIView):
#method_decorator(csrf_exempt)
def dispatch(self, *args, **kwargs):
...
or on class view itself (from django 1.9)
from django.utils.decorators import method_decorator
#method_decorator(csrf_exempt, name='dispatch')
class LoginView(APIView):
...
For GETs, you shouldn't be modifying data, so a CSRF isn't required.
If you are modifying data with a POST, then you SHOULD have a CSRF if you are using session based authentication. Otherwise, you're opening up a security hole. Even though you think your Django server is going to be servicing iPhone apps, there's nothing to stop someone with your app from sniffing the packets on the traffic to your server, and then reverse engineering access to the server with other kinds of web clients. For this reason, Django Rest Framework requires a CSRF in some cases. This is mentioned in the Django rest framework documentation.
The path around this requirement for POSTs is to not use session authentication. For example, you could use BasicAuthentication over HTTPS. With this authentication mechanism, you should use HTTPS to prevent credentials from being passed in the clear with every request.
This is an old question but something we ran into recently.
DRF disables CSRF by default, unless using session authentication. By default NSURLconnection is set up to handle cookies. You need to explicitly tell the iOS app to not use cookies. Then you can keep using session auth if needed and not have to csrf exempt your views.
urlpatterns = patterns('',
url('^login/$', csrf_exempt(views.LoginView.as_view())),
...
)
Guys. I had the same error and spent a lot of time just for finding that:
1) I had another router with 'login' and there i missed '$'. I mean sometimes you can forget something in routing and get this error.
In my case it happend because I sent put request to url='http://example.com/list/5' without slash at the end. When I changed url to url='http://example.com/list/5/' all started to work.
Is there a way to redirect to another page in Django when outside of a view function.
I need to be able to redirect anywhere in my app, NOT just when I'm returning an HTTP response back to the client.
I've tried the redirect shortcut:
from django.shortcuts import redirect
redirect("/some/url")
and also
redirect("http://someserver.com/some/url")
but this does no noticable action.
I need something like header("Location: /some/url"); in PHP which can be used anywhere inside the script.
Thanks
You could abuse/leverage process_exception of middleware:
# middleware.py
from django import shortcuts
class Redirect(Exception):
def __init__(self, url):
self.url = url
def redirect(url):
raise Redirect(url):
class RedirectMiddleware:
def process_exception(self, request, exception):
if isinstance(exception, Redirect):
return shortcuts.redirect(exception.url)
You can then do:
from middleware import redirect
redirect('/some/url/')
Also don't forget to add RedirectMiddleware to your MIDDLEWARE_CLASSES settings.
Maybe a stupid question here:
Is Requests(A python HTTP lib) support Django 1.4 ?
I use Requests follow the Official Quick Start like below:
requests.get('http://127.0.0.1:8000/getAllTracks', auth=('myUser', 'myPass'))
but i never get authentication right.(Of course i've checked the url, username, password again and again.)
The above url 'http://127.0.0.1:8000/getAllTracks' matches an url pattern of the url.py of a Django project, and that url pattern's callback is the 'getAllTracks' view of a Django app.
If i comment out the authentication code of the 'getAllTracks' view, then the above code works OK, but if i add those authentication code back for the view, then the above code never get authenticated right.
The authentication code of the view is actually very simple, exactly like below (The second line):
def getAllTracks(request):
if request.user.is_authenticated():
tracks = Tracks.objects.all()
if tracks:
# Do sth. here
Which means if i delete the above second line(with some indents adjustments of course), then the requests.get() operation do the right thing for me, but if not(keep the second line), then it never get it right.
Any help would be appreciated.
In Django authentication works in following way:
There is a SessionMiddleware and AuthenticationMiddleware. The process_request() of both these classes is called before any view is called.
SessionMiddleware uses cookies at a lower level. It checks for a cookie named sessionid and try to associate this cookie with a user.
AuthenticationMiddleware checks if this cookie is associated with an user then sets request.user as that corresponding user. If the cookie sessionid is not found or can't be associated with any user, then request.user is set to an instance of AnonymousUser().
Since Http is a stateless protocol, django maintains session for a particular user using these two middlewares and using cookies at a lower level.
Coming to the code, so that requests can work with django.
You must first call the view where you authenticate and login the user. The response from this view will contain sessionid in cookies.
You should use this cookie and send it in the next request so that django can authenticate this particular user and so that your request.user.is_authenticated() passes.
from django.contrib.auth import authenticate, login
def login_user(request):
user = authenticate(username=request.POST.get('username'), password=request.POST.get('password'))
if user:
login(request, user)
return HttpResponse("Logged In")
return HttpResponse("Not Logged In")
def getAllTracks(request):
if request.user.is_authenticated():
return HttpResponse("Authenticated user")
return HttpResponse("Non Authenticated user")
Making the requests:
import requests
resp = requests.post('http://127.0.0.1:8000/login/', {'username': 'akshar', 'password': 'abc'})
print resp.status_code
200 #output
print resp.content
'Logged In' #output
cookies = dict(sessionid=resp.cookies.get('sessionid'))
print cookies
{'sessionid': '1fe38ea7b22b4d4f8d1b391e1ea816c0'} #output
response_two = requests.get('http://127.0.0.1:8000/getAllTracks/', cookies=cookies)
Notice that we pass cookies using cookies keyword argument
print response_two.status_code
200 #output
print response_two.content
'Authenticated user' #output
So, our request.user.is_authenticated() worked properly.
response_three = requests.get('http://127.0.0.1:8000/hogwarts/getAllTracks/')
Notice we do not pass the cookies here.
print response_three.content
'Non Authenticated user' #output
I guess, auth keyword for Requests enables HTTP Basic authentication which is not what is used in Django. You should make a POST request to login url of your project with username and password provided in POST data, after that your Requests instance will receive a session cookie with saved authentication data and will be able to do successful requests to auth-protected views.
Might be easier for you to just set a cookie on initial authentication, pass that back to the client, and then for future requests expect the client to send back that token in the headers, like so:
r = requests.post('http://127.0.0.1:8000', auth=(UN, PW))
self.token = r.cookies['token']
self.headers = {'token': token}
and then in further calls you could, assuming you're in the same class, just do:
r = requests.post('http://127.0.0.1:8000/getAllTracks', headers=self.headers)