I have an application wrote with Django REST Framework (DRF). Also, there are such registered endpoints:
from refreshtoken.views import delegate_jwt_token
from rest_framework_jwt.views import obtain_jwt_token
urlpatterns = [
path('api-token-auth/', obtain_jwt_token),
path('api-auth/', include('rest_framework.urls', namespace='rest_framework')),
path(r'refresh-token', delegate_jwt_token, name='refresh-token'),
]
Also, there are some endpoints, which requires authorization.
So, I'm trying to extract my token using curl
client:
curl -X POST -H "Content-Type: application/json" http://127.0.0.1:8000/api-token-auth/ -d '{"username": "test", "password": "testpassword"}'
It returns something like this:
{"token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiYTdlMmIyMjItZTZkNy00NjhiLTkxNzYtOTE2YzAwZWRhY2E2IiwidXNlcm5hbWUiOiJ0ZXN0IiwiZXhwIjoxNTUwNTEwNDAwLCJlbWFpbCI6InRlc3RAZHhhbXBsZS5jb20iLCJpc19zdGFmZiI6ZmFsc2UsImdyb3VwcyI6W10sInN1YnNjcmliZWQiOmZhbHNlLCJ0ZWxlZ3JhbV9zdWJzY3JpYmVkIjpmYWxzZX0.OExR9TlO3GUisYAu_D86CJ6hgF1EcofpQA0MZ1ENT2c","refresh_token":"1ab03e609d7a7ae05ce104c73858a346a0438e72"}
Then, using this token I want to login, using token:
curl -X POST -H "Authorization: JWT eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoiYTdlMmIyMjItZTZkNy00NjhiLTkxNzYtOTE2YzAwZWRhY2E2IiwidXNlcm5hbWUiOiJ0ZXN0IiwiZXhwIjoxNTUwNTEwNDAwLCJlbWFpbCI6InRlc3RAZHhhbXBsZS5jb20iLCJpc19zdGFmZiI6ZmFsc2UsImdyb3VwcyI6W10sInN1YnNjcmliZWQiOmZhbHNlLCJ0ZWxlZ3JhbV9zdWJzY3JpYmVkIjpmYWxzZX0.OExR9TlO3GUisYAu_D86CJ6hgF1EcofpQA0MZ1ENT2c" -H "Content-Type: application/json" http://127.0.0.1:8000/api-auth/login/ -d '{"username": "test", "password": "testpassword"}'
It returns 403 (Forbidden)
CSRF verification failed. Request aborted.
Why I'm doing wrong?
One interesting point here:
Each request for the token returns a new token for the same user:password pair (is it expected or my token expires too fast)?