我'm trying to create an SPA using Angular6 combined with Django. I'我有一个问题,Django不接受我发送的csrftoken cookie我的请求 . CSRF_USE_SESSIONS = False
在我的settings.py中
当获取请求设置cookie时,这是来自浏览器控制台的图片:
这是使用相同cookie的post-request:
cookie在请求之间没有变化,因为如果我之后再做另一个get-request,我会获得相同的cookie集 .
以下是cookie策略以角度设置的方式:
import { BrowserModule } from '@angular/platform-browser';
import { FormsModule, ReactiveFormsModule } from '@angular/forms';
import { NgModule } from '@angular/core';
import { HttpClientModule } from '@angular/common/http';
import { HttpModule, XSRFStrategy, CookieXSRFStrategy } from '@angular/http'
import ....
@NgModule({
declarations: [
AppComponent,
RegisterComponent,
LoginComponent,
AlertComponent,
ProfileComponent,
RegisterinvoiceComponent,
],
imports: [
BrowserModule,
FormsModule,
ReactiveFormsModule,
AppRoutingModule,
HttpClientModule,
HttpModule
],
providers: [
{
provide: XSRFStrategy,
useValue: new CookieXSRFStrategy('csrftoken', 'X-CSRFToken')
}
],
bootstrap: [AppComponent]
})
export class AppModule { }
我的Django视图代码:
class InvoiceViewSet(viewsets.ModelViewSet):
queryset=Invoices.objects.all()
serializer_class=InvoiceSerializer
def get_permissions(self):
if self.request.method in permissions.SAFE_METHODS:
return (permissions.AllowAny(),)
if self.request.method == 'POST':
return (permissions.IsAuthenticated(),)
return (permissions.IsAuthenticated(), IsAccountOwner(),)
@method_decorator(ensure_csrf_cookie)
def create(self, request):
serializer=InvoiceSerializer(data=request.data)
if serializer.is_valid():
user=request.user
...
return Response(serializer.validated_data, status=status.HTTP_201_CREATED)
return Response({
'status': 'Bad request',
'message': 'Invoice could not be created with received data',
}, status=status.HTTP_400_BAD_REQUEST)
编辑:
我还尝试从cookie中提取令牌值,并将其作为'csrfmiddlewaretoken'与其余的帖子数据一起发布 .
1 回答
最后得到了@jason .
我使用的是XSRFStrategy的弃用版本 . 工作代码现在在Angular中看起来像这样:
HttpXSRFInterceptor.ts看起来像这样:
为简洁起见,成功的请求和响应如下所示: