Privacy Policy
Snippets index

  Logging in to Django REST and POSTing forms using HTTPie

Author: morlandi@brainstorm.it
Creato: Martedì 28 Agosto 2018 16:44
Tags: httpie

Logging in to Django REST using HTTPie

Logging in to Django using HTTPie:

http localhost:8000/users/ -h

HTTP/1.0 403 Forbidden
Allow: GET, HEAD, OPTIONS
Content-Type: application/json
Date: Wed, 13 Apr 2016 12:01:24 GMT
Server: WSGIServer/0.1 Python/2.7.11
Vary: Accept, Cookie
X-Frame-Options: SAMEORIGIN

First we want to get the CSRF Token by visiting a page:

http localhost:8000/api-auth/login/ --session=session1 -h

HTTP/1.0 200 OK
Cache-Control: no-cache, no-store, must-revalidate, max-age=0
Content-Type: text/html; charset=utf-8
Date: Wed, 13 Apr 2016 12:01:51 GMT
Expires: Wed, 13 Apr 2016 12:01:51 GMT
Last-Modified: Wed, 13 Apr 2016 12:01:51 GMT
Server: WSGIServer/0.1 Python/2.7.11
Set-Cookie:  csrftoken=Z6BWtOS9hmVtZ0QoVkYegMo8Ckduyv7y; expires=Wed, 12-Apr-2017 12:01:51 GMT; Max-Age=31449600; Path=/
Vary: Cookie
X-Frame-Options: SAMEORIGIN

It is now stored in a cookie:

cat session1.json

{
    "__meta__": {
        "about": "HTTPie session file",
        "help": "https://github.com/jkbrzt/httpie#sessions",
        "httpie": "0.9.3"
    },
    "auth": {
        "password": null,
        "type": null,
        "username": null
    },
    "cookies": {
        "csrftoken": {
            "expires": 1491998511,
            "path": "/",
            "secure": false,
            "value": "Z6BWtOS9hmVtZ0QoVkYegMo8Ckduyv7y"
        }
    },
    "headers": {}
}

Then we log in with the X-CSRFToken header set:

http -f POST localhost:8000/api-auth/login/ username=admin password=password123 X-CSRFToken:Z6BWtOS9hmVtZ0QoVkYegMo8Ckduyv7y --session=session1 -h

HTTP/1.0 302 Found
Cache-Control: no-cache, no-store, must-revalidate, max-age=0
Content-Type: text/html; charset=utf-8
Date: Wed, 13 Apr 2016 12:02:46 GMT
Expires: Wed, 13 Apr 2016 12:02:46 GMT
Last-Modified: Wed, 13 Apr 2016 12:02:46 GMT
Location: /accounts/profile/
Server: WSGIServer/0.1 Python/2.7.11
Set-Cookie:  csrftoken=xhZLDurJlYrTKu6JGTwaF0BQinQfV8l4; expires=Wed, 12-Apr-2017 12:02:46 GMT; Max-Age=31449600; Path=/
Set-Cookie:  sessionid=skjcmbsm4a4jtn43sl0npybpdopttk5y; expires=Wed, 27-Apr-2016 12:02:46 GMT; httponly; Max-Age=120960
0; Path=/
Vary: Cookie
X-Frame-Options: SAMEORIGIN

References:

Altra sessione per eseguire un POST complesso via linea comandi

In tutte le chiamate faremo riferimento al file di sessione "./session.json" per garantire la persistenza degli headers custom in successive richieste allo stesso host.

Eseguimo un post sulla pagina di login, che fallira' con errore CSRF_FAILURE_VIEW:

http POST 127.0.0.1:8000/login/ -h

HTTP/1.0 403 FORBIDDEN
Content-Language: it
Content-Type: text/html
Date: Tue, 28 Aug 2018 15:19:51 GMT
Server: WSGIServer/0.1 Python/2.7.13
Set-Cookie: sessionid=70b12537dfdf4fec75fbce86d0d6f6e7; expires=Tue, 11-Sep-2018 15:19:51 GMT; Max-Age=1209600; Path=/
Vary: Accept-Language, Cookie

Per ottenere il csrftoken, consultiamo nuovamente la pagina (metodo GET):

http 127.0.0.1:8000/login/ --session=./session.json -h

HTTP/1.0 200 OK
Cache-Control: max-age=0
Content-Language: it
Content-Type: text/html; charset=utf-8
Date: Tue, 28 Aug 2018 15:23:52 GMT
ETag: "7892c1deb1c4eeca304cada025e5db84"
Expires: Tue, 28 Aug 2018 15:23:52 GMT
Last-Modified: Tue, 28 Aug 2018 15:23:52 GMT
Server: WSGIServer/0.1 Python/2.7.13
Set-Cookie: csrftoken=87035d38eee0ce9c3728c3caf53e21e3; Max-Age=31449600; Path=/
Set-Cookie: sessionid=eb0cc1b2a6c930fb12b76857446a19ed; expires=Tue, 11-Sep-2018 15:23:52 GMT; Max-Age=1209600; Path=/
Vary: Cookie, Accept-Language

Eseguiamo il submit della form di login includendo il csrftoken appena ricevuto:

http -f POST localhost:8000/login/ username=USERNAME password=PASSWORD X-CSRFToken:87035d38eee0ce9c3728c3caf53e21e3 --session=./session.json -h

A questo punto possiamo eseguire il post di arbitrarie form; nel seguente esempio abbiamo utilizzato i dati di una form precedentemente compilata interattivamente, ricavati dall'inspector.

Notare che e' stato aggiunto un "&" al termine per evitare che l'ultimo parametro terminasse con un "n" indesiderato:

 echo "target_user=677&elearning_hours=45&section_3=23&section_3=24&section_4=26&promo_code=&company_vat_id=02409140361&company_name=Brainstorm&company_street_type=Viale&company_address=Francesco+Crispi%2C+2&company_zipcode=41121&company_city=MODENA&company_province=108&company_email=aluppi%40brainstorm.it&company_phone_number=059-216138&accept_conditions=on&accept_clauses=on&privacy_agreement=on&marketing_agreement=accetto&"
| http POST 127.0.0.1:8000/e-commerce/acquisti/ --session=./session.json -h

HTTP/1.0 302 FOUND
Content-Language: it
Content-Type: text/html; charset=utf-8
Date: Tue, 28 Aug 2018 15:38:20 GMT
Location: http://127.0.0.1:8000/e-commerce/acquisto-completato/1543/
Server: WSGIServer/0.1 Python/2.7.13
Set-Cookie: sessionid=f25876fa079fd975c435e7dbc75dba95; expires=Tue, 11-Sep-2018 15:38:20 GMT; Max-Age=1209600; Path=/
Vary: Accept-Language, Cookie