How to organize a SPA authentication when using Django REST framework SessionAuthentication and?
Is: API in DRF, SessionAuthentication. Can't understand how to properly and safely organize a user authentication in a SPA, if a login form is being rendered in SPA.
When you use sessions for security, you must use the csrf token.
For example, in the case of conventional multi-application on Django uses the standard django LoginView. The token will be rendered in a hidden field on the server form and in Set-Cookie response header, everything is simple and clear.
And what about in the case of SPA, whether the token request such as a GET request to /auth/login, then authenticate by POST /auth/login (with the transmission in the header of the previously received token of course), how it will be correct from the point of view of security?