We need csrf_exempt support.

Question

We need csrf_exempt support.

sameerjagtap opened this issue 4 years ago · comments

We need csrf_exempt support like django has. I have a login API (POST) in which i am creating csrf token, but its asking for csrf token even before creating.
https://docs.djangoproject.com/en/3.0/ref/csrf/

Sameer Jagtap commented 4 years ago

Login API

Tim Condon · Answer 1 · Wed Feb 12 2020 17:59:02 GMT+0800 (China Standard Time)

Is this for an API or website?

Tim Condon · Answer 2 · Thu Feb 13 2020 15:33:48 GMT+0800 (China Standard Time)

So do you want to protect the Login POST request with a CSRF token or is it other endpoints that you want protected?

Tim Condon · Answer 3 · Thu Feb 13 2020 15:36:20 GMT+0800 (China Standard Time)

(Side note - what exactly are you trying to protect against? Is this an API consumed by an SPA or is it used by an iOS app for example)

Sameer Jagtap · Answer 4 · Thu Feb 13 2020 17:08:02 GMT+0800 (China Standard Time)

Suppose I don't want to protect Login API (POST). How can i do that? adding [.POST] to ignoredMethods will not work, because it will br applied to all POST API's. Currently there is no provision to exempt particular API from CSRF checks.

Tim Condon · Answer 5 · Thu Feb 13 2020 18:55:41 GMT+0800 (China Standard Time)

The simple way is to just not add the middleware to that route.

As an aside, if you're not using a browser to interact with your API, CSRF really doesn't make any sense, or provide any protection

Sameer Jagtap · Answer 6 · Thu Feb 13 2020 20:02:19 GMT+0800 (China Standard Time)

How can i do that in Vapor 3?

Tim Condon · Answer 7 · Thu Feb 13 2020 20:17:13 GMT+0800 (China Standard Time)

Well if you're adding the middleware globally, change that to add it to a route group and add the routes to that instead. This would be better asked in Vapor Discord

Sameer Jagtap · Answer 8 · Thu Feb 13 2020 20:18:16 GMT+0800 (China Standard Time)

ok, thanks. I will try this.