auth problems with django

[dpinol]

Hi,
when executing a graphql query to strawberry_django.auth.current_user() I get
Forbidden (CSRF token from the 'X-Csrftoken' HTTP header incorrect.): /graphql
when using client sessions, and
User is not logged in.
when not using sessions.

Previous calls to strawberry_django.auth.login() and strawberry_django.auth.register(UserRegister) work fine.

I do the following to get the csrftoken, which I set into the AIOHTTPTransport headers and cookies

        async with aiohttp.ClientSession(cookie_jar=aiohttp.CookieJar()) as session:
            csrf_token = None
            # csrftoken are set by servers in GET calls
            # TODO create a specific call for it?
            async with session.get(self.url + "/admin") as resp:
                assert_that(resp.status).is_equal_to(200)
                for cookie in session.cookie_jar:
                    if cookie.key == "csrftoken":
                        csrf_token = cookie.value
                assert csrf_token, "CSRF token not found in cookies"

            return csrf_token

I also set CSRF_TRUSTED_ORIGINS
What am I doing wrong?

[bellini666]

Hi @dpinol ,

Sorry for the late reply. strawberry_django.auth.current_user() only calls this function, which either gets it from request.user or request.scope.get("user") (this one when using websockets/subscriptions)

So the issue is most likely being thrown when accessing the user itself, or user.is_authenticated, which triggers the django logic to actually fetch it.

Does it only happen for strawberry views, or for other views as well?

[dpinol]

Hi @bellini666,
Thanks eventually I found a solution. The problem is that Django changes the csrf_token after logging a user in. So what I do is reload the token and assign it to the headers and cookies of the same connection. I guess we can close the issue, but I feel it shouldn't be so cumbersome.