network capture for login - not sure if its correct but there is csrftoken

Request URL:
http://127.0.0.1:8000/api/login
Request Method:
POST
Status Code:
200 OK
Remote Address:
127.0.0.1:8000
Referrer Policy:
strict-origin-when-cross-origin
Access-Control-Allow-Credentials:
true
Access-Control-Allow-Origin:
http://localhost:3000
Allow:
POST, OPTIONS
Content-Length:
52
Content-Type:
application/json
Cross-Origin-Opener-Policy:
same-origin
Date:
Mon, 11 Mar 2024 05:05:54 GMT
Referrer-Policy:
same-origin
Server:
WSGIServer/0.2 CPython/3.11.5
Set-Cookie:
csrftoken=Oi44ycfpIKF7R3eXF9QDkvUXaqLQ5dNe; expires=Mon, 10 Mar 2025 05:05:54 GMT; Max-Age=31449600; Path=/; SameSite=Lax
Set-Cookie:
sessionid=6sko8fv2y8js2ti8pb5ce5dsjdtg5mko; expires=Mon, 25 Mar 2024 05:05:54 GMT; HttpOnly; Max-Age=1209600; Path=/
Vary:
Accept, Cookie, Origin
X-Content-Type-Options:
nosniff
X-Frame-Options:
DENY
Accept:
application/json, text/plain, */*
Accept-Encoding:
gzip, deflate, br
Accept-Language:
en-US,en;q=0.9
Connection:
keep-alive
Content-Length:
52
Content-Type:
application/json
Host:
127.0.0.1:8000
Origin:
http://localhost:3000
Referer:
http://localhost:3000/
Sec-Ch-Ua:
"Not A(Brand";v="99", "Google Chrome";v="121", "Chromium";v="121"
Sec-Ch-Ua-Mobile:
?1
Sec-Ch-Ua-Platform:
"Android"
Sec-Fetch-Dest:
empty
Sec-Fetch-Mode:
cors
Sec-Fetch-Site:
cross-site
User-Agent:
Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Mobile Safari/537.36

views.py - csrf_exempt

from django.contrib.auth import get_user_model, login, logout
from rest_framework.authentication import SessionAuthentication
from rest_framework.views import APIView
from rest_framework.response import Response
from .serializers import UserRegisterSerializer, UserLoginSerializer, UserSerializer
from rest_framework import permissions, status
from .validations import custom_validation, validate_email, validate_password
from django.utils.decorators import method_decorator
from django.views.decorators.csrf import csrf_exempt
import logging


class UserRegister(APIView):
	permission_classes = (permissions.AllowAny,)
	def post(self, request):
		clean_data = custom_validation(request.data)
		serializer = UserRegisterSerializer(data=clean_data)
		if serializer.is_valid(raise_exception=True):
			user = serializer.create(clean_data)
			if user:
				return Response(serializer.data, status=status.HTTP_201_CREATED)
		return Response(status=status.HTTP_400_BAD_REQUEST)

@method_decorator(csrf_exempt, name='dispatch')
class UserLogin(APIView):
	permission_classes = (permissions.AllowAny,)
	authentication_classes = (SessionAuthentication,)
	##
	def post(self, request):
		print("YYY UserLogin")
		logging.debug("XXX UserLogin")
		data = request.data
		assert validate_email(data)
		assert validate_password(data)
		serializer = UserLoginSerializer(data=data)
		if serializer.is_valid(raise_exception=True):
			user = serializer.check_user(data)
			login(request, user)
			return Response(serializer.data, status=status.HTTP_200_OK)


class UserLogout(APIView):
	permission_classes = (permissions.AllowAny,)
	authentication_classes = ()
	def post(self, request):
		print("YYY UserLogout")
		logging.debug("XXX UserLogout")
		logout(request)
		return Response(status=status.HTTP_200_OK)

@method_decorator(csrf_exempt, name='dispatch')
class UserView(APIView):
	permission_classes = (permissions.IsAuthenticated,)
	authentication_classes = (SessionAuthentication,)
	##
	def get(self, request):
		print("YYY UserView")
		logging.debug("XXX UserView")
		serializer = UserSerializer(request.user)
		return Response({'user': serializer.data}, status=status.HTTP_200_OK)