How do I get CSRF Token added to request header?

[daleanplg]

Hi, first I would like to thank the creator and contributors for this amazing project/product. I have been using this library for authN for my Django apps for some time now and it is solid.

I am currently trying to wrap my head around the headless API, especially the browser authentication. In the example application I notice that the request function does some bootstrapping and also adds the CSRF Token to the request header using the following line: options.headers["X-CSRFToken"] = getCSRFToken();. But how does the token gets stored in the browser cookie in the first place?

Pardon me if I may have missed it somewhere in the docs or the example application but I have been digging for the past hour and I cannot seem to find it. In my application, the X-Csrftoken header value for is null in the request so Django throws a 403 and complains about Origin checking failed.

I took the liberty and looked at the demo react application for the project and behold, the header value is populated with an actual csftToken.

Any can point me in the right direction?

[daleanplg]

I am still doing some checks. It appears that there is a call to getConfig at some point during the bootstrapping process. Is it during this process that the Cookie for CSRF gets set?

[pennersr]

I am sorry, but it's really difficult to assess what is going on in your project. I would suggest a different strategy: start from the example application. That definitely works, and then gradually adjust it to your own needs...

[daleanplg]

Ok.

[daleanplg]

@pennersr I got it. I had CSRF_USE_SESSIONS = True. Once I disabled this, it behaved how I expected it to now.

[bgervan]

Just a sidenote about secure cookies, because the defaults are false

In production, use
SESSION_COOKIE_SECURE = True
but for the csrf, you still need
CSRF_COOKIE_SECURE = False
in order to reach it from js

[daleanplg]

Ok, excellent. Thanks for this.