'CSRF Exempt Django Auth Password Reset View for Cross Domain request
I have a separate front end and backend site and I am trying to enable users on the front end to reset their password. I have created an endpoint for them to do so which works when accessed via the backend site. But when I try to access the endpoint via Insomnia I get:
Forbidden (403)
CSRF verification failed. Request aborted.
I have added my front end domain to the CORS_ORIGIN_WHITELIST.
class PasswordResetView(auth_views.PasswordResetView):
template_name = 'users/reset_password.html'
@method_decorator(csrf_exempt)
def dispatch(self, *args, **kwargs):
return super().dispatch(*args, **kwargs)
Is there some other method that I must also make csrf_exempt?
Solution 1:[1]
django.contrib.auth.views.PasswordResetView decorates its dispatch method with csrf_protect, where csrf_protect = decorator_from_middleware(CsrfViewMiddleware).
Wrapping with your csrf_exempt and the actual CsrfViewMiddleware, we have csrf_protect(csrf_exempt(csrf_protect(<bound method PasswordResetView.dispatch ...>))), where <bound method PasswordResetView.dispatch ...> is super().dispatch.
That can be reduced to csrf_protect(<bound method PasswordResetView.dispatch ...>).
We can trick CsrfViewMiddleware by setting request.csrf_processing_done = True:
class PasswordResetView(auth_views.PasswordResetView):
template_name = 'users/reset_password.html'
@method_decorator(csrf_exempt)
def dispatch(self, request, *args, **kwargs):
request.csrf_processing_done = True
return super().dispatch(request, *args, **kwargs)
Alternatively, you can set super().dispatch.__wrapped__.csrf_exempt = True but this has the side effect of also affecting other view classes that inherit auth_views.PasswordResetView, since super().dispatch.__wrapped__ is just <function PasswordResetView.dispatch ...>.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | aaron |