Correge CSRF

ResidenciaTICBrisa · Apr 3, 2024 · a458bf0 · a458bf0
1 parent f0ccf5d
commit a458bf0
Show file tree

Hide file tree

Showing 5 changed files with 37 additions and 23 deletions.
diff --git a/api/sigeie/settings.py b/api/sigeie/settings.py
@@ -113,11 +113,10 @@
 
 REST_FRAMEWORK = {
     'DEFAULT_AUTHENTICATION_CLASSES': [
-        'rest_framework.authentication.BasicAuthentication',
         'rest_framework.authentication.SessionAuthentication',
     ],
     'DEFAULT_PERMISSION_CLASSES': {
-        'rest_framework.permissions.IsAUthenticatedOrReadOnly',
+        'rest_framework.permissions.IsAuthenticatedOrReadOnly',
     }
 }
 

diff --git a/api/sigeie/urls.py b/api/sigeie/urls.py
@@ -22,6 +22,6 @@
     path('admin/', admin.site.urls),
     path('api/', include('users.urls')),
     path('api/', include(router.urls)),
-    path('auth/', include('rest_framework.urls')),
-    path('api/', include('systems.urls'))
+    path('api/', include('systems.urls')),
+    path('auth/', include('rest_framework.urls'))
 ]
diff --git a/api/users/models.py b/api/users/models.py
@@ -1,5 +1,6 @@
 from django.db import models
 
-# Create your models here.
+# Create your models here
+
 
 
diff --git a/api/users/serializers.py b/api/users/serializers.py
@@ -15,3 +15,15 @@ class Meta:
             'date_joined': {'read_only': True},
             'groups': {'read_only': True}
         }
+
+    def create(self, validated_data):
+        user = User.objects.create_user(
+        username=validated_data['username'],
+        password=validated_data['password'],
+        email=validated_data.get('email')  # use get se o email for opcional
+        )
+        return user
+
+class UserSerializerP(serializers.Serializer):
+    username = serializers.CharField(max_length=200)
+    password = serializers.CharField(max_length=200)
diff --git a/api/users/views.py b/api/users/views.py
@@ -1,47 +1,49 @@
 # views.py
+from django.http import JsonResponse
 from rest_framework import viewsets, permissions, status
 from rest_framework.views import APIView
 from rest_framework.response import Response
 from rest_framework.permissions import IsAuthenticated
 from rest_framework.authentication import BasicAuthentication
 from rest_framework import generics
-
+from django.views.decorators.csrf import csrf_protect, csrf_exempt
 from .permissions import IsOwner
-from .serializers import UserSerializer
+from .serializers import UserSerializer, UserSerializerP
 
 from django.contrib.auth.models import User
 from django.contrib.auth import authenticate, login, logout
-from django.views.decorators.csrf import csrf_exempt
 from django.utils.decorators import method_decorator
 
-@method_decorator(csrf_exempt, name='dispatch')
+@method_decorator(csrf_protect, name='dispatch')
 class UserCreateView(generics.CreateAPIView):
     queryset = User.objects.all()
     serializer_class = UserSerializer
     permission_classes = []
     authentication_classes = []
 
-@method_decorator(csrf_exempt, name='dispatch')
+@method_decorator(csrf_protect, name='dispatch')
 class UserDetailView(generics.RetrieveUpdateDestroyAPIView):
     queryset = User.objects.all()
     serializer_class = UserSerializer
     permission_classes = [IsOwner, IsAuthenticated]
 
-@method_decorator(csrf_exempt, name='dispatch')
+@method_decorator(csrf_protect, name='dispatch')
 class LoginView(APIView):
-    authentication_classes = []
     permission_classes = []
-
-    def post(self, request, format=None):
-        username = request.data.get('username')
-        password = request.data.get('password')
-        user = authenticate(username=username, password=password)
-        if user is not None:
-            login(request, user)
-            return Response({'message': 'Login successful'}, status=status.HTTP_200_OK)
-        else:
-            return Response({'message': 'Invalid credentials'}, status=status.HTTP_401_UNAUTHORIZED)
-
+    def post(self, request, format=None):          
+            serializer = UserSerializerP(data=request.data)
+            if(serializer.is_valid()):
+                username = serializer.validated_data["username"]
+                password = serializer.validated_data["password"]
+                user = authenticate(username=username, password=password)
+                if user is not None:
+                    login(request, user)
+                    return Response({'message': 'Login successful'}, status=status.HTTP_200_OK)
+                else:
+                    print(user)
+                    return Response({'message': 'Invalid credentials'}, status=status.HTTP_401_UNAUTHORIZED)
+            return JsonResponse(serializer.errors)
+
 class LogoutView(APIView):
     permission_classes = [permissions.IsAuthenticated]