[Fixed]-Using django with postman {"detail":"CSRF Failed: CSRF token missing or incorrect."}

8👍

Your api need CSRF token, you have to add CSRF token to the request(and postman):

data: { csrfmiddlewaretoken: csrf_token, "username": "thesamething", "email": "thesamething", "password": "thesamething" }

You can get CSRF token from your form input field(you will find a hidden field if you use django build-in form api) or if you use Ajax, you can have a look at Cross Site Request Forgery protection.It has nothing to do with your authorization key, your key is use to identify who you are, and CSRF token is to make sure this request is send from your server.

26👍

If using token based authentication with DRF don’t forget to set it in settings.py. Otherwise you’ll get a CSRF error

REST_FRAMEWORK = {
    'DEFAULT_AUTHENTICATION_CLASSES': [
        'rest_framework.authentication.TokenAuthentication',
    ]
}
👤aris

14👍

I was facing the same problem with Postman. I was asked to include a CSRF on every request after getting a token for the first time so I realized that I had Session and Token authentication methods enabled so I commented out the SessionAuthentication line (of course, you could remove it as well)

'DEFAULT_AUTHENTICATION_CLASSES': [
    'rest_framework.authentication.TokenAuthentication',
    # 'rest_framework.authentication.SessionAuthentication',
]

After that, I was able to request a token by using only my credentials without including any CSRF code:

Successful token requests

I think that the fact of having those two auth classes activated was causing Django to muddle up somehow.

👤Felipe

6👍

For me the solution was to add the X-CSRFToken header in Postman (gotten from initial login response in browser)

see https://stackoverflow.com/a/26639895/8133649

1👍

In settings.py file

INSTALLED_APPS = [
...
...
...
...
'rest_framework.authtoken',
...
]

REST_FRAMEWORK = {
    'DEFAULT_AUTHENTICATION_CLASSES': (
        'rest_framework.authentication.TokenAuthentication',
    ),
}

in project urls.py

from rest_framework.authtoken import views

urlpatterns = [
    ....
    path('api-token-auth/',views.obtain_auth_token,name='api-token-auth')

]

Open terminal as

$ pip3 install httpie
$ python3 manage.py createsuperuser # if not created
$ http POST http://localhost:8000/api-token-auth/ username="username" password = "password"   # You will get token key (Just copy it) ex:a243re43fdeg7r4rfgedwe89320

You token key will be also automatically saved in your databases

Go to postman header (like in example)
Ex: screenshot from postman ,where and how to paste accessed toke
Then insert you token key.

reference to get token key from this video

0👍

i changed request method from post to patch and i could login

0👍

You can either use csrfmiddlewaretoken: csrf_token, in your json data where csrf_token is a valid token, but in a situation where including it you are unable to provide a correct token, comment or remove SessionAuthentication as below.

'DEFAULT_AUTHENTICATION_CLASSES': [
    'rest_framework.authentication.TokenAuthentication',
    # 'rest_framework.authentication.SessionAuthentication',
]

0👍

  • Create an endpoint which return html page.
    Endpoint – /get_token
    Details – The html page will have only 1 line of code i.e. {{ csrf_token}}. Request that url from postman. In response you will see the token

  • For new post method endpoint, add the header with name X-CSRFToken and value as csrf_token. Send the json data according to requirement.
    enter image description here
    enter image description here

Leave a comment