Actually make the contract attach API not require CSRF (#2895)

Author: jkachel

b2b/views/v0/__init__.py

@@ -24,6 +24,7 @@
 )
 from courses.models import CourseRun
 from ecommerce.models import Discount, Product
+from main.authentication import CsrfExemptSessionAuthentication
 from main.constants import USER_MSG_TYPE_B2B_ENROLL_SUCCESS
 
 
@@ -86,12 +87,14 @@ class AttachContractApi(APIView):
     """View for attaching a user to a B2B contract."""
 
     permission_classes = [IsAuthenticated]
+    authentication_classes = [
+        CsrfExemptSessionAuthentication,
+    ]
 
     @extend_schema(
         request=None,
         responses=ContractPageSerializer(many=True),
     )
-    @csrf_exempt
     def post(self, request, enrollment_code: str, format=None):  # noqa: A002, ARG002
         """
         Use the provided enrollment code to attach the user to a B2B contract.

main/authentication.py

@@ -0,0 +1,17 @@
+"""Custom authentication handlers for DRF."""
+
+from rest_framework.authentication import SessionAuthentication
+
+
+class CsrfExemptSessionAuthentication(SessionAuthentication):
+    """
+    Authentication handler that ignores CSRF.
+
+    Otherwise, SessionAuthentication will enforce CSRF check, even if you tell
+    it not to.
+    """
+
+    def enforce_csrf(self, request):  # noqa: ARG002
+        """No-op CSRF enforcement"""
+
+        return