I am building an app using cordova with backend implemented with django rest framework along with django rest-auth (for providing and django all-auth for providing REST api registration/login endpoints). I am also using django allauth but probably that is not relevant for this question.
When I try to login via rest-auth provided rest-auth/login endpoint, I get 403 error with message:
"CSRF verification failed. Request aborted. You are seeing this message because this HTTPS site requires a 'Referer header' to be sent by your Web browser, but none was sent.... "
I am using Token based authentication provided by DRF and my settings for DRF and middlewares are:
REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES': (
'rest_framework.authentication.TokenAuthentication',
'rest_framework.authentication.BasicAuthentication',
'rest_framework.authentication.SessionAuthentication',
),
'DEFAULT_PERMISSION_CLASSES': [
#'rest_framework.permissions.DjangoModelPermissionsOrAnonReadOnly'
'rest_framework.permissions.IsAuthenticated',
],
'PAGE_SIZE': 10,
}
MIDDLEWARE_CLASSES = (
'django.contrib.sessions.middleware.SessionMiddleware',
)
MIDDLEWARE_CLASSES += (
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.auth.middleware.SessionAuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
)
Surprisingly it used to work for me in the past until now and it works in Debug mode (development server on localhost) too. From what I understand even in debug mode csrf verification is not disabled so csrf verification should have failed even with debug mode server.
Why does it require Referer header with token authentication and since the app is cordova based, having a referer header may not be presented from the client?