How to use csrf_token in Django RESTful API and React?

by

The first step is to get CSRF token which can be retrieved from the Django csrftoken cookie.

Now from the Django docs you can find out how to get the csrf token from the cookie by using this simple JavaScript function:

function getCookie(name) {
    var cookieValue = null;
    if (document.cookie && document.cookie !== '') {
        var cookies = document.cookie.split(';');
        for (var i = 0; i < cookies.length; i++) {
            var cookie = jQuery.trim(cookies[i]);
            if (cookie.substring(0, name.length + 1) === (name + '=')) {
                cookieValue = decodeURIComponent(cookie.substring(name.length + 1));
                break;
            }
        }
    }
    return cookieValue;
}

Now, you can retrieve the CSRF token by calling the getCookie('csrftoken') function

var csrftoken = getCookie('csrftoken');

Next you can use this csrf token when sending a request with fetch() by assigning the retrieved token to the X-CSRFToken header.

  fetch(url, {
    credentials: 'include',
    method: 'POST',
    mode: 'same-origin',
    headers: {
      'Accept': 'application/json',
      'Content-Type': 'application/json',
      'X-CSRFToken': csrftoken
    },
    body: {}
   })
  }

Rendering the CSRF Token in React Forms:

If you are using React to render forms instead of Django templates you also need to render the csrf token because the Django tag { % csrf_token % } is not available at the client side so you need to create a higher order component that retrieves the token using the getCookie() function and render it in any form.

Lets add some line in csrftoken.js file.

import React from 'react';

var csrftoken = getCookie('csrftoken');

const CSRFToken = () => {
    return (
        <input type="hidden" name="csrfmiddlewaretoken" value={csrftoken} />
    );
};
export default CSRFToken;

Then you can simply import it and call it inside your form

import React, { Component , PropTypes} from 'react';

import CSRFToken from './csrftoken';


class aForm extends Component {
    render() {

        return (
                 <form action="/endpoint" method="post">
                        <CSRFToken />
                        <button type="submit">Send</button>
                 </form>
        );
    }
}

export default aForm;

The Django CSRF Cookie

React renders components dynamically that’s why Django might not be able to set a CSRF token cookie if you are rendering your form with React. This how Django docs says about that:

If your view is not rendering a template containing the csrftoken
template tag, Django might not set the CSRF token cookie. This is
common in cases where forms are dynamically added to the page. To
address this case, Django provides a view decorator which forces
setting of the cookie: ensurecsrf_cookie().

To solve this issue Django provides the ensurecsrfcookie decorator that you need to add to your view function. For example:

from django.views.decorators.csrf import ensure_csrf_cookie

@ensure_csrf_cookie
def myview(request):

More Related Contents:

  1. Does the django-rest-framework provide an admin site to manage models?
  2. How can I enable CORS on Django REST Framework
  3. DRF: Simple foreign key assignment with nested serializers?
  4. Django Rest Framework File Upload
  5. How do I include related model fields using Django Rest Framework?
  6. Include intermediary (through model) in responses in Django Rest Framework
  7. Retrieving a Foreign Key value with django-rest-framework serializers
  8. Django REST Framework upload image: “The submitted data was not a file”
  9. Django rest framework serializing many to many field
  10. Django serializer Imagefield to get full URL
  11. django-rest-framework 3.0 create or update in nested serializer
  12. Django Rest Framework and JSONField
  13. How can I use Django OAuth Toolkit with Python Social Auth?
  14. Django Rest Framework writable nested serializers
  15. Pass extra arguments to Serializer Class in Django Rest Framework
  16. When to use Serializer’s create() and ModelViewset’s perform_create()
  17. Logging requests to django-rest-framework
  18. Django REST Framework serializer field required=false
  19. Django Rest Framework – Could not resolve URL for hyperlinked relationship using view name “user-detail”
  20. Django Rest Framework – How to add custom field in ModelSerializer
  21. Order of Serializer Validation in Django REST Framework
  22. How can I register a single view (not a viewset) on my router?
  23. OperationalError, no such column. Django
  24. Django Python rest framework, No ‘Access-Control-Allow-Origin’ header is present on the requested resource in chrome, works in firefox
  25. how to add annotate data in django-rest-framework queryset responses?
  26. Override JSONSerializer on django rest framework
  27. Django: app level variables
  28. How to add custom field in ModelSerializer?
  29. CSRF validation does not work on Django using HTTPS
  30. Multiple lookup_fields for django rest framework

Leave a Comment