/api-auth/登录时djangorestfull上的CSRF错误

Question

我在使用djangorestfull的web项目的服务器端。我们的UI团队在端口3000上运行UI，Django服务器在端口8000上运行。对于登录，我们使用/api-auth/login url作为ajax。来自/api-auth/login的答复选项方法包含csrftoken和一个表单但post方法(包含用户名和密码)面对CSRF错误。我如何检查这个问题的根源？它是在服务器端还是令牌不会用post方法发送？

这是我的setting.py

REQUIRED_APPS = [
    'django_admin_bootstrapped',
    'django.contrib.admin',
    'django.contrib.auth',
    'django.contrib.contenttypes',
    'django.contrib.sessions',
    'django.contrib.messages',
    'django.contrib.staticfiles',
    'django_extensions',
    'rest_framework',
]

MIDDLEWARE_CLASSES = (
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.auth.middleware.SessionAuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
    'django.middleware.security.SecurityMiddleware',
)

REST_FRAMEWORK = {
    # Use Django's standard `django.contrib.auth` permissions,
    # or allow read-only access for unauthenticated users.
    'DEFAULT_PERMISSION_CLASSES': [
        'rest_framework.permissions.DjangoModelPermissionsOrAnonReadOnly',
        'rest_framework.authentication.SessionAuthentication',
        'rest_framework.authentication.TokenAuthentication',
    ]
}

和urls.py

urlpatterns = [
    url(r'^admin/', include(admin.site.urls)),
    url(r'', include('User.urls', namespace='User')),
    url(r'^schedule/', include('Schedule.urls', namespace='Schedule')),
    url(r'^api-auth/', include('rest_framework.urls', namespace='rest_framework')),
]

Answer 1

问题似乎来自UI团队。机会很大，它们没有将CSRF令牌包含在POST请求中。请确认一下。以下是Django关于如何添加令牌的一些文档。https://docs.djangoproject.com/en/1.9/ref/csrf/#ajax