Project

Profile

Help

Issue #3906

Updated by milan over 6 years ago

Pulp's REST API validates that only acceptable fields are submitted with each request. The list of fields does not include the csrf token. As a result of this validation, the browsable API forms produce responses that look like this: 

 <pre> 
     HTTP 400 Bad Request 
     Allow: GET, POST, HEAD, OPTIONS 
     Content-Type: application/json 
     Vary: Accept 
     
     { 
         "csrfmiddlewaretoken": [ 
             "Unexpected field" 
         ] 
     } 

 </pre> 

 We need to investigate how to configure DRF to stop including this field with each form. Otherwise a fix from comment 3 would be appropriate.  

 h3. Notes 

 To easily reproduce, navigate your _browser_ browser to e.g http://localhost:8000/pulp/api/v3/repositories/ and create a repository by filling-in the create repository form. 
 This happens when "session authentication is used":http://kylebebak.github.io/post/django-rest-framework-auth-csrf such as with a browser; "non-session authentication won't trigger the CSRF protection":http://www.django-rest-framework.org/api-guide/authentication/#sessionauthentication. 
 Unfortunately it seems the session-authentication is somehow mandatory or at least I wasn't able to just switch it off: 

 <pre> 
 pulp: django.request:ERROR: Internal Server Error: /pulp/api/v3/repositories/ 
 Traceback (most recent call last): 
   File "/home/vagrant/.virtualenvs/pulp/lib64/python3.6/site-packages/django/core/handlers/exception.py", line 34, in inner 
     response = get_response(request) 
   File "/home/vagrant/.virtualenvs/pulp/lib64/python3.6/site-packages/django/utils/deprecation.py", line 90, in __call__ 
     response = self.process_request(request) 
   File "/home/vagrant/.virtualenvs/pulp/lib64/python3.6/site-packages/django/contrib/auth/middleware.py", line 23, in process_request 
     ) % ("_CLASSES" if settings.MIDDLEWARE is None else "") 
 AssertionError: The Django authentication middleware requires session middleware to be installed. Edit your MIDDLEWARE setting to insert 'django.contrib.sessions.middleware.SessionMiddleware' before 'django.contrib.auth.middleware.AuthenticationMiddleware'. 
 [13/Aug/2018 13:15:14] "GET /pulp/api/v3/repositories/ HTTP/1.1" 500 69693 
 </pre>

Back