0

Hi i'm currently have my api that use this simple-JWT package for jwt token authentication, it worked great. But now when i try to call the api from the django website app using Ajax in which is from a page user already logged in but it still required me to use the jwt access_token.

My ajax call from the page user already logged in:

$.ajax({
       type: "POST",
       url: "/api/add_favorite/" + property_id + "/",
       beforeSend: function (xhr) {
              xhr.setRequestHeader('Authorization', 'Bearer {{ refresh_token }}');
       },
       success: function (data) {
       if (data.code == 200) {
              alert('added to favorite');
              replace_part_1 = '<a id="mylink2" href="#" value="' + property_id +'"><i class="fas fa-heart fa-lg" style="color: red" title="Remove from favorite"></i></a>'
              $("a[value='" + property_id + "']").replaceWith(replace_part_1);
             }
       }
});

Now i don't want to set the header with authorization since in the page user already logged in so the session is already set.

So i tried to add Django Session authentication to the the api like so:

@api_view(['POST'])
@authentication_classes([SessionAuthentication, JWTAuthentication])
@permission_classes([IsAuthenticated])
def add_favorite(request, property_id):
    if request.method == 'POST':
        try:
            favorite_property = Property.objects.get(pk=property_id)
            if request.user.is_authenticated:
                login_user = request.user
                if not login_user.properties.filter(pk=property_id).exists():
                    login_user.properties.add(favorite_property)

                    return JsonResponse({'code':'200','data': favorite_property.id}, status=200)
                else:
                    return JsonResponse({'code':'404','errors': "Property already exists in favorite"}, status=404)

        except Property.DoesNotExist:
            return JsonResponse({'code':'404','errors': "Property not found"}, status=404)

My Ajax after removed the header :

$.ajax({
       type: "POST",
       url: "/api/add_favorite/" + property_id + "/",
       },
       success: function (data) {
       if (data.code == 200) {
              alert('added to favorite');
              replace_part_1 = '<a id="mylink2" href="#" value="' + property_id +'"><i class="fas fa-heart fa-lg" style="color: red" title="Remove from favorite"></i></a>'
              $("a[value='" + property_id + "']").replaceWith(replace_part_1);
             }
       }
});

and i removed the set header from the Ajax call now i get 403 return code :

Failed to load resource: the server responded with a status of 403 (Forbidden)

My settings:

REST_FRAMEWORK = {
    # Use Django's standard `django.contrib.auth` permissions,
    # or allow read-only access for unauthenticated users.
    'DEFAULT_PERMISSION_CLASSES': [
        'rest_framework.permissions.IsAuthenticated',
    ],
    'DEFAULT_AUTHENTICATION_CLASSES': (
        'rest_framework_simplejwt.authentication.JWTAuthentication',
        'rest_framework.authentication.SessionAuthentication',
    ),
    # 'DEFAULT_FILTER_BACKENDS': ('django_filters.rest_framework.DjangoFilterBackend',)
}

I don't know why the session authentication doesn't work since the Ajax call is from the page user already logged in.

Thank for reading!

Improve this question

1 Answer 1

Reset to default
1

Because you're adding Authentication header on your ajax requests, Django automatically use TokenAuthentication if Authentication exists on the request header. Remove it to use SessionAuthentication.

There might be a problem when you're switch to use SessionAuthentication is that Django will reject your unsafe requests if there is no CSRF token, more detail here

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

I had edited my question with the ajax when i sent and get the error, the Authentication part on header already removed
Is there any other message from server, you could use Chrome Dev Tools -> open Network tab to see the response message. I think that it will be something related to CSRF, but yeah, try that and update your question with the response message
you are right, it was missing csrf i totally forgot about that. i changed my ajax set header to xhr.setRequestHeader('X-CSRFToken', '{{csrf_token}}'); and it worked now thank you

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.