• Members 9 posts
    Jan. 15, 2017, 8:40 p.m.

    I'm trying to authenticate to Misago from a Python app using the "requests" Python module. However, I get this error:

    <p>This is usually caused by your browser not accepting or using outdated cookies.</p>
    <p>Check your browser configuration and try again.</p>

    This is the code I'm using:

    import requests
    FORUM_URL = 'https://misago-project.org/'
    AUTH_API_URL = '{}/api/auth/'.format(FORUM_URL)
    username = 'username_goes_here'
    password = 'password_goes_here'
    r = requests.post(AUTH_API_URL, data={'username': username, 'password': password})

    What am I doing wrong?

  • Jan. 15, 2017, 9:24 p.m.


    Your attempts are failing because in addition to username and password, you need to include CSRF token in your request. You can get one via doing GET request to any of forum's pages, then reading the csrftoken cookie. You'll have to send this token in X-CSRFToken header on all POST/PATCH/PUT/DELETE requests. Also note thad Django may regenerate token after every request, meaning you should look out for this cookie in every response you get, and update your CSRF token accordingly. This is security feature that protects Django against BREACH attacks.

    This could be improved some via inclusion of special "get-csrf-token" api edge that would be returning you with current API token, so you don't have to deal with extra cost of rendering whole forum page only so you can grab CSRF token.

    On sidenote, I would like Misago to support Token Authentication for app2app authentication so, say, your PHP/Ruby/Node.js app is able to consume and update forum state using predefined account.

  • Jan. 15, 2017, 9:40 p.m.

    And now you can do GET /api/auth/token/ to get cookie with token without need for calling sitefront url's that may be doing something else and costful.

  • Members 9 posts
    Jan. 15, 2017, 9:43 p.m.

    Thank you :)

    Have a nice day!

  • Jan. 15, 2017, 10:28 p.m.

    Sure, let me know your feelings about API when you feel like it. I'm always curious what people think about it. :)

  • Members 9 posts
    Jan. 16, 2017, 3:41 p.m.

    I have updated my code, however I still get the same error. I extract the CSRF token from the csrftoken cookie and pass it to the /api/auth/ request as X-CSRFToken header. Perhaps the forum wasn't updated yet to the last version?

    Repository: github.com/armata/misago-ext-auth/tree/master

  • Jan. 16, 2017, 3:54 p.m.

    Ah, you'll also need to maintain session, so you'll need to also keep and send back session id cookie. Alternatively you could try setup token authentication on your own site.

  • Members 9 posts
    Jan. 17, 2017, 2:52 p.m.

    Hmm, I am now using requests.Session() for making requests -- however there is no "sessionid" cookie in the cookie jar after I make the API token request. There's only csrftoken. However, in Postman, I can clearly see it. Do I have to generate the cookie manually or something?

    <RequestsCookieJar[<Cookie csrftoken=4GvUsDcTnk043tn9hZm06zkzaWBW1gsXPtk07sns4waBDseHJAEZrcIDkPKQ5QJ0 for misago-project.org/>]>

    Maybe something related: stackoverflow.com/questions/12257116/django-when-is-sessionid-cookie-set-is-it-available-by-default

  • Jan. 17, 2017, 2:59 p.m.

    Django is setup to make session cookie HTTP-Only by default, which is confusing for cookie jar. To have best chance at debugging your API client, you should develop it against locally ran and configured instance instead of this site. ;)

  • Members 9 posts
    Jan. 17, 2017, 3:07 p.m.

    Yeah I've noticed that it's HTTP: Yes in Postman, unlike all other cookies... I'll check it out, thank you :)

  • Members 21 posts
    Feb. 7, 2021, 1:31 a.m.

    Is /api/auth/token removed? Seems I cannot find it anymore.

  • Feb. 7, 2021, 3:37 a.m.

    Where did you see /api/auth/token being mentioned? It was never in Misago's API. 🤔

  • Feb. 7, 2021, 10:06 p.m.

    Ah, that post is from 2017 when previous Misago's major version with different API was available. Sorry for the confusion.

    To be honest, I am thinking that you will have best success if you implement custom Django app that does this.

    If you are using misago-docker for your site, you can add extra urls to the site by creating urls_override.py file right next to urls.py, and defining extra urlpatterns in it.

    To add extra apps to Misago you can create plugins.txt file in same directory that contains Dockerfile, and write their names, each in new line. You can put your app dir in same directory as plugins, and if your app has extra requirements, those also can be placed in requirements-plugins.txt file next to requirements.txt. You can then run ./appctl rebuild to rebuild your site.

  • Members 9 posts
    Feb. 9, 2021, 7:11 p.m.

    Hi! I was reading this post and I have a question, again.

    I am trying to add the Django app I have created to our server. So, this is how my app folder looks like:
    Cards app structure
    So, we followed your post above and we added that the app folder in /root/misago_docker/misago. We created the plugins.txt and we were working with the urls_override.py file, but we believe we are doing something wrong with the format there as once we run ./appctl rebuild, we get the Bad Gateway message.

    ^ The file on the right was how we were adding the URLs of our Cards app

    Edit: For some reason, the image is not clear so this is what we have in urls_override.py
    urlpatterns = [url(r"^$", views.news, name='news']

    I would appreciate a lot if you could give it a check. Thank you in advance

  • Feb. 9, 2021, 9:03 p.m.

    There's no chance for your urls_override.py to work because url function is undefined. Please add missing import and it should work.