Django Allauth 65.2.0 headless mode - session token problems

I have a setup with django, drf, django-allauth headless and nextjs acting somewhat as a proxy to my django api, completely decoupled and server from different servers (a regular django setup and separate node server for next)

Settings:

AUTH_USER_MODEL = "user.User"
ACCOUNT_EMAIL_REQUIRED = True
ACCOUNT_EMAIL_VERIFICATION = "mandatory"

AUTHENTICATION_BACKENDS = [
    "django.contrib.auth.backends.ModelBackend",
    "allauth.account.auth_backends.AuthenticationBackend",
]
HEADLESS_ONLY = True
HEADLESS_FRONTEND_URLS = {}
# HEADLESS_TOKEN_STRATEGY = "apps.core.backends.allauth_token_strategy.DRFTokenAndAnonSessionTokenStrategy"

SOCIALACCOUNT_PROVIDERS = {
    "google": {
        "APP": {
            "client_id": config.OAUTH.GOOGLE.CLIENT_ID,
            "secret": config.OAUTH.GOOGLE.CLIENT_SECRET,
        },
        "SCOPE": [
            "profile",
            "email",
        ],
        "AUTH_PARAMS": {
            "access_type": "offline",
        },
        "OAUTH_PKCE_ENABLED": True,
    }
}

URLs: (the change is purely for aesthetics)

from allauth.headless.constants import Client
from allauth.headless.urls import build_urlpatterns
from django.urls import path, include
from django.urls.resolvers import RoutePattern


def build_allauth_url_patterns():
    path_object = build_urlpatterns(Client.APP)[0]
    path_object.pattern = RoutePattern("")
    return [path_object]


urlpatterns = [
    path("user/", include((build_allauth_url_patterns(), "headless"), namespace="app")),
    path("accounts/", include("allauth.urls")),
]

I want to use the headless mode since I don't need the CSRF features of django allauth browser implementation, however I want to use the handshake of django-allauth so I'm sending a post request to the api via a form from nextjs.

for this example consider my domain as localhost

<form method="post" action="https://api.localhost/v1/user/auth/provider/redirect" className="w-full">
  <Button variant="outline" className="gap-2 w-full" type="submit">
    <Icons.LogIn />
    <span>Sign Up With Google</span>
  </Button>
  <Input type="hidden" name="callback_url" value="https://auth.localhost/accounts/google/login/callback/" />
  <Input type="hidden" name="process" value="login" />
  <Input type="hidden" name="provider" value="google" />
</form>

With this, the form successfully redirects to google for authorizing my app, and I can authorize with the scope from my settings and continue to my app. But at this point, django allauth returns an error response - from why understand - because I don't have a session identifier/key.

In allauth.socialaccout.providers.oauth2.views.OAuth2CallbackView.dispatch the call to allauth.socialaccout.providers.oauth2.views.OAuth2CallbackView._get_state returns this error response because in _get_sate the state is always None. This is how far I was able to track it, I tried to figure out how to get a session_token to put it to X-Session-Token header but since handshake is a redirect from google to my app I can't change the header, since I'm using the APP version and not BROWSER version I don't have a cookie (In a non browser app you wouldn't have this anyway, and the provider_token endpoint still requires it as per the docs)

Now my question is, if I'm right and I need the session somehow how can I have the session identified by django so state = statekit.unstash_state(request, state_id) actually returns the correct state? Or if I'm wrong and there is something else that's wrong, what is that?

Back to Top