Yep! This is expected. You see, a POST request expects a csrf token with it. You've to manually ensure you pass the csrf token. Read this docs' Passing JWT to RESTful API resources.
Basically, ensure that the form you're POSTing has a hidden input field that contains the csrf token (you can pass that token from the backned). That's it!
Since you're using ajax, you need to pass the extra header manually instead of rendering the token as an input field in the form. Read this for more info.
Two things.
1.) If I'm sending a post request on the same domain then why do I need CSRF Token? Is it not only for cross domain requests?
2.) Even if you do require CSRF Token on the same domain, this stills show no auth header: dev-to-uploads.s3.amazonaws.com/i/...
1) Actually CSRF is supposed to be use for forms in the same domain. You see, a malicious person could easily post your form on another domain. This is why CSRF exists. Ofcourse you can disable it, at your own risk, with JWT_COOKIE_CSRF_PROTECT and JWT_CSRF_CHECK_FORM.
2) I'm guessing the authToken in your code has the wrong value. I don't see where you assign it so I can't tell for sure. Can you try using this instead-
I couldn't figure it out with POST request in this case. I'll just use GET request which works fine.
Thank you so much for the help though! I immensely appreciate it
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Yep! This is expected. You see, a POST request expects a csrf token with it. You've to manually ensure you pass the csrf token. Read this docs' Passing JWT to RESTful API resources.
Basically, ensure that the
formyou're POSTing has a hidden input field that contains the csrf token (you can pass that token from the backned). That's it!Since you're using ajax, you need to pass the extra header manually instead of rendering the token as an input field in the form. Read this for more info.
Two things.
1.) If I'm sending a post request on the same domain then why do I need CSRF Token? Is it not only for cross domain requests?
2.) Even if you do require CSRF Token on the same domain, this stills show no auth header:
dev-to-uploads.s3.amazonaws.com/i/...
1) Actually CSRF is supposed to be use for forms in the same domain. You see, a malicious person could easily post your form on another domain. This is why CSRF exists. Ofcourse you can disable it, at your own risk, with
JWT_COOKIE_CSRF_PROTECTandJWT_CSRF_CHECK_FORM.2) I'm guessing the
authTokenin your code has the wrong value. I don't see where you assign it so I can't tell for sure. Can you try using this instead-I couldn't figure it out with POST request in this case. I'll just use GET request which works fine.
Thank you so much for the help though! I immensely appreciate it