delete.auth/users/me returns Internal server error
#218
Comments
Monstarrrr
added
bug
|
It's an issue with drf-spectacular. They're opinionated about not allowing request bodies for DELETE requests. I'd propose a change to CONTRIBUTING.md that notes this quirk about DELETE requests possibly missing documentation, and a list of DELETE routes with links to their documentation. |
|
Can you post the logs of the error you get when you provide the correct request body as in screenshot 1? |
Internal Server Error: /auth/users/me/
Traceback (most recent call last):
File "C:\Python310\lib\site-packages\django\core\handlers\exception.py", line 55, in inner
response = get_response(request)
File "C:\Python310\lib\site-packages\django\core\handlers\base.py", line 197, in _get_response
response = wrapped_callback(request, *callback_args, **callback_kwargs)
File "C:\Python310\lib\site-packages\django\views\decorators\csrf.py", line 65, in _view_wrapper
return view_func(request, *args, **kwargs)
File "C:\Python310\lib\site-packages\rest_framework\viewsets.py", line 124, in view
return self.dispatch(request, *args, **kwargs)
File "C:\Python310\lib\site-packages\rest_framework\views.py", line 509, in dispatch
response = self.handle_exception(exc)
File "C:\Python310\lib\site-packages\rest_framework\views.py", line 469, in handle_exception
self.raise_uncaught_exception(exc)
File "C:\Python310\lib\site-packages\rest_framework\views.py", line 480, in raise_uncaught_exception
raise exc
File "C:\Python310\lib\site-packages\rest_framework\views.py", line 506, in dispatch
response = handler(request, *args, **kwargs)
File "C:\Python310\lib\site-packages\djoser\views.py", line 177, in me
return self.destroy(request, *args, **kwargs)
File "C:\Python310\lib\site-packages\djoser\views.py", line 163, in destroy
utils.logout_user(self.request)
File "C:\Python310\lib\site-packages\djoser\utils.py", line 26, in logout_user
cts'
[25/Jun/2024 17:01:41] "DELETE /auth/users/me/ HTTP/1.1" 500 112250 |
|
Call the endpoint with query params and it works |
http://localhost:8000/auth/users/me?current_password=Password123
Also putting passwords as query params is not safe: |
|
Screenshot has I don't understand the comment about |
|
Want to go with this unsafe practice for the MVP? The accounts get deleted anyway- still not great to have links with passwords in them clientside though Alternative is a custom View/APIView for account deletion |
If I want to remove it I need to disable |
I mention this because we may not want to spend too much time trying to fix something we're not going to keep, creating a custom APIView would be nice assuming that's easier |
By "it" do you mean the final slash? Why remove it at all? I can't reproduce any issue with |
Wait, you may be confusing two different things. What method are you using? GET or DELETE? Use the correct method to make a call to |
|
Since the request is a DELETE method, do the objections about the password being in the params still make sense? |
I tried with removing it because i've never seen query strings in URLs being used without a path next to it (I've seen this: It could be unrelated though |
I'm using |
It seems so, even though I don't care about it for the MVP, I still think it implies spending time looking for a solution we won't keep for long anyways so maybe we should look at alternatives |
|
I don't see anything in that thread answer related to security or the objections mentioned in the previous article. |
👍 👍 👍 Yes |
|
By default djoser has the setting |
The endpoint is also not documented as there is no mention of
current_passwordbeing required which I only found out (within the401response) after trying to call the endpoint without it at first :The text was updated successfully, but these errors were encountered: