[FIXED] CSRF checking with simpleJWT and DjangoRestFramework

Issue

I'm starting to use django and I'm lost in the request verification system. I find it difficult to grasp the intricacies of authentication methods.

I am using JWT authentication with restframework_simplejwt to authenticate the user.

Before using the JWT, I had the CSRF checks but it seems to me that I no longer have them since I defined this authentication system.

Here are my settings and my view, built with DRF's ApiView.

settings.py

REST_FRAMEWORK = {
    'DEFAULT_PERMISSION_CLASSES': [
        'rest_framework.permissions.IsAuthenticated'
    ],
    'DEFAULT_AUTHENTICATION_CLASSES': (
        'rest_framework_simplejwt.authentication.JWTAuthentication',
    ),
}

view.py

from rest_framework import status
from rest_framework.views import APIView
from rest_framework.permissions import IsAuthenticated
from rest_framework.authentication import SessionAuthentication
from rest_framework_simplejwt.authentication import JWTAuthentication
from rest_framework.response import Response

class MakePredictionView(APIView):
    authentication_classes = [JWTAuthentication,]
    permission_classes = [IsAuthenticated, UserPermissionSpeedX]
    throttle_classes = [UserThrottleSpeedX,]
    serializer_class = MakePredictionSerializer

    def post(self, request):
        if not self.request.session.exists(self.request.session.session_key):
            self.request.session.create()
        
        serializer = self.serializer_class(data=request.data)
        if serializer.is_valid():
            profil = SpeedX(
                player_name=serializer.data.get('player_name'),
                maturite_indice=serializer.data.get('maturite_indice'),
                resultat_vitesse_30m=serializer.data.get('resultat_vitesse_30m'),
                club=serializer.data.get('club'),
                categorie=serializer.data.get('categorie')
            )
            profil.save()
            return Response(SpeedxSerializer(profil).data, status=status.HTTP_200_OK)

If I replace JWTAuthentification by SessionAuthentification for example, it asks me for the CSRF token. But, If I add SessionAuthentification with JWTAuthentication in authentication_class, it no longer asks me for CSRF, and the authentication is done with JWT, without checking the CSRF token. Is this normal? is this risky?

I also tested these parameters but same issue

REST_FRAMEWORK = {
    'DEFAULT_PERMISSION_CLASSES': [
        'rest_framework.permissions.IsAuthenticated'
    ],
    'DEFAULT_AUTHENTICATION_CLASSES': (
        'rest_framework_simplejwt.authentication.JWTAuthentication',
        'rest_framework.authentication.SessionAuthentication'
    ),
}

class MakePredictionView(APIView):
    authentication_classes = [SessionAuthentication, JWTAuthentication]
    permission_classes = [IsAuthenticated, UserPermissionSpeedX]
    throttle_classes = [UserThrottleSpeedX,]
    serializer_class = MakePredictionSerializer

I can't quite understand WHEN the CSRF token is checked? and why is it not checked when JWTAuthentication is enabled?

I am developing the application locally for the moment.

Solution

Seesion Authentication and JWT authentication both are used for user authentication but the differenc is that:

Session authentication

it's server-side session management to keep track of a user's login state. When a user logs in, the server creates a session object containing the user's session ID, which is stored in a cookie. when the user requests, the server uses this session ID to retrieve the session object and authenticate the user.

JWT authentication:

JWT method used JSon web token to authenticate the user. when the use login the JWT create JSON web token against the user that store in a cokkie or local storage. when the user request, the client send the token that contain additional information of that use and authenticate the user and verify that user.

the main advantage is, JWT authentication is more flexible than session authentication.

Answered By - Tanveer Ahmad