后端API LoginView(添加了一个强制将csrf令牌添加到主体的装饰器)
class LoginView(APIView):renderer_classes = (JSONPRenderer, JSONRenderer)@method_decorator(ensure_csrf_cookie)def post(self, request, format=None): c = {} c.update(csrf(request)) serializer = LoginSerializer(data=request.DATA) if serializer.is_valid(): userAuth = authenticate(username=serializer.data['username'], password=serializer.data['password']) if userAuth: if userAuth.is_active: login(request, userAuth) loggedInUser = AuthUserProfile.objects.get(pk=1) serializer = UserProfileSerializer(loggedInUser) user = [serializer.data, {'isLogged': True}] else: user = {'isLogged': False} return Response(user, status=status.HTTP_200_OK) return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)AngularJS客户端(将令牌添加到请求标头)
$http.defaults.headers.post['X-CSRFToken'] = $cookies.csrftoken;
服务器端设置文件(专门用于django-cors-headers)
默认情况下会添加前5个,但你需要添加“ X-CSRFToken”以允许使用CORS从客户端到API的此类标头,否则该帖子将被拒绝。
CORS_ALLOW_HEADERS = ('x-requested-with','content-type','accept','origin','authorization','X-CSRFToken')
