Logging in to Django REST and POSTing forms using HTTPie ¶
Logging in to Django REST using HTTPie
Logging in to Django using HTTPie:
http localhost:8000/users/ -h
HTTP/1.0 403 Forbidden Allow: GET, HEAD, OPTIONS Content-Type: application/json Date: Wed, 13 Apr 2016 12:01:24 GMT Server: WSGIServer/0.1 Python/2.7.11 Vary: Accept, Cookie X-Frame-Options: SAMEORIGIN
First we want to get the CSRF Token by visiting a page:
http localhost:8000/api-auth/login/ --session=session1 -h
HTTP/1.0 200 OK Cache-Control: no-cache, no-store, must-revalidate, max-age=0 Content-Type: text/html; charset=utf-8 Date: Wed, 13 Apr 2016 12:01:51 GMT Expires: Wed, 13 Apr 2016 12:01:51 GMT Last-Modified: Wed, 13 Apr 2016 12:01:51 GMT Server: WSGIServer/0.1 Python/2.7.11 Set-Cookie: csrftoken=Z6BWtOS9hmVtZ0QoVkYegMo8Ckduyv7y; expires=Wed, 12-Apr-2017 12:01:51 GMT; Max-Age=31449600; Path=/ Vary: Cookie X-Frame-Options: SAMEORIGIN
It is now stored in a cookie:
cat session1.json
{ "__meta__": { "about": "HTTPie session file", "help": "https://github.com/jkbrzt/httpie#sessions", "httpie": "0.9.3" }, "auth": { "password": null, "type": null, "username": null }, "cookies": { "csrftoken": { "expires": 1491998511, "path": "/", "secure": false, "value": "Z6BWtOS9hmVtZ0QoVkYegMo8Ckduyv7y" } }, "headers": {} }
Then we log in with the X-CSRFToken header set:
http -f POST localhost:8000/api-auth/login/ username=admin password=password123 X-CSRFToken:Z6BWtOS9hmVtZ0QoVkYegMo8Ckduyv7y --session=session1 -h
HTTP/1.0 302 Found Cache-Control: no-cache, no-store, must-revalidate, max-age=0 Content-Type: text/html; charset=utf-8 Date: Wed, 13 Apr 2016 12:02:46 GMT Expires: Wed, 13 Apr 2016 12:02:46 GMT Last-Modified: Wed, 13 Apr 2016 12:02:46 GMT Location: /accounts/profile/ Server: WSGIServer/0.1 Python/2.7.11 Set-Cookie: csrftoken=xhZLDurJlYrTKu6JGTwaF0BQinQfV8l4; expires=Wed, 12-Apr-2017 12:02:46 GMT; Max-Age=31449600; Path=/ Set-Cookie: sessionid=skjcmbsm4a4jtn43sl0npybpdopttk5y; expires=Wed, 27-Apr-2016 12:02:46 GMT; httponly; Max-Age=120960 0; Path=/ Vary: Cookie X-Frame-Options: SAMEORIGIN
References:
Altra sessione per eseguire un POST complesso via linea comandi
In tutte le chiamate faremo riferimento al file di sessione "./session.json" per garantire la persistenza degli headers custom in successive richieste allo stesso host.
Eseguimo un post sulla pagina di login, che fallira' con errore CSRF_FAILURE_VIEW:
http POST 127.0.0.1:8000/login/ -h
HTTP/1.0 403 FORBIDDEN Content-Language: it Content-Type: text/html Date: Tue, 28 Aug 2018 15:19:51 GMT Server: WSGIServer/0.1 Python/2.7.13 Set-Cookie: sessionid=70b12537dfdf4fec75fbce86d0d6f6e7; expires=Tue, 11-Sep-2018 15:19:51 GMT; Max-Age=1209600; Path=/ Vary: Accept-Language, Cookie
Per ottenere il csrftoken, consultiamo nuovamente la pagina (metodo GET):
http 127.0.0.1:8000/login/ --session=./session.json -h
HTTP/1.0 200 OK Cache-Control: max-age=0 Content-Language: it Content-Type: text/html; charset=utf-8 Date: Tue, 28 Aug 2018 15:23:52 GMT ETag: "7892c1deb1c4eeca304cada025e5db84" Expires: Tue, 28 Aug 2018 15:23:52 GMT Last-Modified: Tue, 28 Aug 2018 15:23:52 GMT Server: WSGIServer/0.1 Python/2.7.13 Set-Cookie: csrftoken=87035d38eee0ce9c3728c3caf53e21e3; Max-Age=31449600; Path=/ Set-Cookie: sessionid=eb0cc1b2a6c930fb12b76857446a19ed; expires=Tue, 11-Sep-2018 15:23:52 GMT; Max-Age=1209600; Path=/ Vary: Cookie, Accept-Language
Eseguiamo il submit della form di login includendo il csrftoken appena ricevuto:
http -f POST localhost:8000/login/ username=USERNAME password=PASSWORD X-CSRFToken:87035d38eee0ce9c3728c3caf53e21e3 --session=./session.json -h
A questo punto possiamo eseguire il post di arbitrarie form; nel seguente esempio abbiamo utilizzato i dati di una form precedentemente compilata interattivamente, ricavati dall'inspector.
Notare che e' stato aggiunto un "&" al termine per evitare che l'ultimo parametro terminasse con un "n" indesiderato:
echo "target_user=677&elearning_hours=45§ion_3=23§ion_3=24§ion_4=26&promo_code=&company_vat_id=02409140361&company_name=Brainstorm&company_street_type=Viale&company_address=Francesco+Crispi%2C+2&company_zipcode=41121&company_city=MODENA&company_province=108&company_email=aluppi%40brainstorm.it&company_phone_number=059-216138&accept_conditions=on&accept_clauses=on&privacy_agreement=on&marketing_agreement=accetto&" | http POST 127.0.0.1:8000/e-commerce/acquisti/ --session=./session.json -h
HTTP/1.0 302 FOUND Content-Language: it Content-Type: text/html; charset=utf-8 Date: Tue, 28 Aug 2018 15:38:20 GMT Location: http://127.0.0.1:8000/e-commerce/acquisto-completato/1543/ Server: WSGIServer/0.1 Python/2.7.13 Set-Cookie: sessionid=f25876fa079fd975c435e7dbc75dba95; expires=Tue, 11-Sep-2018 15:38:20 GMT; Max-Age=1209600; Path=/ Vary: Accept-Language, Cookie