fix(api): disable csrf checks for api routes

src/apps/core/middleware.py

@@ -8,6 +8,7 @@ import logging
 import threading
 import uuid
 
+from django.middleware.csrf import CsrfViewMiddleware
 from django.utils.deprecation import MiddlewareMixin
 
 logger = logging.getLogger(__name__)
@@ -16,6 +17,17 @@ logger = logging.getLogger(__name__)
 _request_context = threading.local()
 
 
+class ApiCsrfExemptMiddleware(CsrfViewMiddleware):
+    """Skip CSRF checks for JWT/DRF API routes while keeping CSRF elsewhere."""
+
+    api_prefixes = ("/api/",)
+
+    def process_view(self, request, callback, callback_args, callback_kwargs):
+        if request.path_info.startswith(self.api_prefixes):
+            return None
+        return super().process_view(request, callback, callback_args, callback_kwargs)
+
+
 def get_request_id() -> str | None:
     """Get current request ID from thread-local storage."""
     return getattr(_request_context, "request_id", None)

src/settings/base.py

@@ -167,7 +167,7 @@ MIDDLEWARE = [
     "whitenoise.middleware.WhiteNoiseMiddleware",
     "django.contrib.sessions.middleware.SessionMiddleware",
     "django.middleware.common.CommonMiddleware",
-    "django.middleware.csrf.CsrfViewMiddleware",
+    "apps.core.middleware.ApiCsrfExemptMiddleware",
     "django.contrib.auth.middleware.AuthenticationMiddleware",
     "django.contrib.messages.middleware.MessageMiddleware",
     "django.middleware.clickjacking.XFrameOptionsMiddleware",

src/settings/dev.py

@@ -29,11 +29,6 @@ CORS_ALLOW_CREDENTIALS = True
 CORS_ALLOW_PRIVATE_NETWORK = True
 CSRF_COOKIE_SECURE = False
 SESSION_COOKIE_SECURE = False
-MIDDLEWARE = [
-    middleware
-    for middleware in MIDDLEWARE
-    if middleware != "django.middleware.csrf.CsrfViewMiddleware"
-]
 
 
 def _normalize_local_host(host: str) -> str: