How to cURL an Authenticated Django App?

by

Here is a fully coded answer. The idea of the solution is:

  1. you have to first visit the login page with GET to get the cookies file generated,
  2. then parse the CSRF token out of the cookies file
  3. and do the login using a POST request, passing the data with -d.

Afterwards you can perform any request always using that CSRF token in the data ($DJANGO_TOKEN) or with a custom X-CSRFToken header. To log out simply delete the cookies file.

Note that you need a referer (-e) to make Django’s CSRF checks happy.

LOGIN_URL=https://yourdjangowebsite.com/login/
YOUR_USER='username'
YOUR_PASS='password'
COOKIES=cookies.txt
CURL_BIN="curl -s -c $COOKIES -b $COOKIES -e $LOGIN_URL"

echo -n "Django Auth: get csrftoken ..."
$CURL_BIN $LOGIN_URL > /dev/null
DJANGO_TOKEN="csrfmiddlewaretoken=$(grep csrftoken $COOKIES | sed 's/^.*csrftoken\s*//')"

echo -n " perform login ..."
$CURL_BIN \
    -d "$DJANGO_TOKEN&username=$YOUR_USER&password=$YOUR_PASS" \
    -X POST $LOGIN_URL

echo -n " do something while logged in ..."
$CURL_BIN \
    -d "$DJANGO_TOKEN&..." \
    -X POST https://yourdjangowebsite.com/whatever/

echo " logout"
rm $COOKIES

I have a slightly more secure version of this code, which uses a file for submitting the POST data, as a Gist on GitHub: django-csrftoken-login-demo.bash

Interesting background reading on Django’s CSRF token is on docs.djangoproject.com.

More Related Contents:

  1. Capturing URL parameters in request.GET
  2. Django REST Framework: adding additional field to ModelSerializer
  3. How to get the list of the authenticated users?
  4. Django – Where are the params stored on a PUT/DELETE request?
  5. Django Rest Framework: Disable field update after object is created
  6. AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: ‘******-*****-*****-*****-*********’
  7. Token Authentication for RESTful API: should the token be periodically changed?
  8. Having trouble with user.is_authenticated in django template
  9. How to POST JSON Data With PHP cURL?
  10. Proper way to handle multiple forms on one page in Django
  11. Django Forms: if not valid, show form with error message
  12. How can I change the default Django date template format?
  13. Security of REST authentication schemes
  14. How to make remote REST call inside Node.js? any CURL?
  15. Using a UUID as a primary key in Django models (generic relations impact)
  16. Django get the static files URL in view
  17. Confusion in Django admin, static and media files
  18. What’s the cleanest, simplest-to-get running datepicker in Django?
  19. Django multi-select widget?
  20. Where can I find the error logs of nginx, using FastCGI and Django?
  21. How to assign currently logged in user as default value for a model field?
  22. Django – Overriding the Model.create() method?
  23. How to create a Django queryset filter comparing two date fields in the same model
  24. Django Queryset with filtering on reverse foreign key
  25. Django how to pass custom variables to context to use in custom admin template?
  26. Django Admin – Overriding the widget of a custom form field
  27. Setting default value for Foreign Key attribute
  28. Django REST Framework image upload
  29. Django: dynamic database file
  30. Get type of Django form widget from within template

Leave a Comment