ENFORCE CSRF verification in API to be accessed by a browser strictly

[thesujai]

Summary

Enforces CSRF Verification more strongly in post api endpoints which are supposed to be accessed only by browser
…

References

Fixes #7389
…

Reviewer guidance

I performed Manual QA on the following API's:(except for setupwizard, i was confused with the actual api of that)

1. api/auth/session/
2. api/auth/facility/
3. api/content/contentrequest/
4. api/auth/signup/
5. api/tasks/tasks/
6. api/device/deviceprovision/

I ran curl commands like:

curl -X POST "http://localhost:8000/api/auth/facility/" -H  "accept: application/json" -H  "authorization: Basic c3VqYWk6c3VqYWk=" -H  "Content-Type: application/json"  -d "{  \"name\": \"string\"}"

I did the above for all API's i have changed here, without my changes i was in the API but with it i wasn't able to access it
…

---

Testing checklist

• Contributor has fully tested the PR manually
• If there are any front-end changes, before/after screenshots are included
• Critical user journeys are covered by Gherkin stories
• Critical and brittle code paths are covered by unit tests

PR process

• PR has the correct target branch and milestone
• PR has 'needs review' or 'work-in-progress' label
• If PR is ready for review, a reviewer has been added. (Don't use 'Assignees')
• If this is an important user-facing change, PR or related issue has a 'changelog' label
• If this includes an internal dependency change, a link to the diff is provided

Reviewer checklist

• Automated test coverage is satisfactory
• PR is fully functional
• PR has been tested for accessibility regressions
• External dependency files were updated if necessary (yarn and pip)
• Documentation is updated
• Contributor is in AUTHORS.md

[github-actions]

Build Artifacts

Asset type	Download link
PEX file	kolibri-0.16.0a0.dev0_git.755.g8be5bb26.pex
Windows Installer (EXE)	kolibri-0.16.0a0.dev0+git.755.g8be5bb26-unsigned.exe
Debian Package	kolibri_0.16.0a0.dev0+git.755.g8be5bb26-0ubuntu1_all.deb
Mac Installer (DMG)	kolibri-0.16.0a0.dev0+git.755.g8be5bb26-0.4.0.dmg
Android Package (APK)	kolibri-0.16.0a0.dev0+git.755.g8be5bb26-0.1.0-debug.apk
TAR file	kolibri-0.16.0a0.dev0+git.755.g8be5bb26.tar.gz
WHL file	kolibri-0.16.0a0.dev0+git.755.g8be5bb26-py2.py3-none-any.whl

[rtibbles]

This is looking promising - a few places where I don't think it's needed, and a few more places where I think it may be.

I would like to see some unit tests of these API endpoints just to guarantee this CSRF enforcement in the future.

[rtibbles]

Good catch - I think we should actually just add the IsAuthenticated permissions class to this viewset, as it requires a logged in user in the get_queryset method, so would just give a 500 for an anonymous user, I'd guess?

This might be worth doing in 0.16 instead, if you could open a separate PR to add just that onto the release-v0.16.x branch.

[thesujai]

ok i will add IsAuthenticated permissions to this in a seperate PR
And will remove csrf changes from this

[rtibbles]

Thank you!

[thesujai]

I have added some unit tests for the API's those are modified by this PR. If any of them are not doing the thing or is not at the right file, let me know, i will change it.

[rtibbles]

Excellent - love the tests, just a little bit more cleanup to do, and clarity over the GET behaviour of the session viewset.

[rtibbles]

Excellent work, thank you!