Make Webhook views CSRF exempt

This way, these webhook can be called from a command line and
authenticate them via session (user/password)

Author: humitos

readthedocs/restapi/authentication.py

@@ -0,0 +1,15 @@
+# -*- coding: utf-8 -*-
+from rest_framework.authentication import SessionAuthentication
+
+
+class CsrfExemptSessionAuthentication(SessionAuthentication):
+    """
+    Session authentication class exempt of CSRF.
+
+    DRF by default when using a ``SessionAuthentication`` it enforces CSRF.
+
+    See: https://github.com/encode/django-rest-framework/blob/3.9.0/rest_framework/authentication.py#L134-L144
+    """
+
+    def enforce_csrf(self, request):
+        return

readthedocs/restapi/views/integrations.py

@@ -29,6 +29,9 @@
 from readthedocs.integrations.utils import normalize_request_payload
 from readthedocs.projects.models import Project
 
+from ..authentication import CsrfExemptSessionAuthentication
+
+
 log = logging.getLogger(__name__)
 
 GITHUB_EVENT_HEADER = 'HTTP_X_GITHUB_EVENT'
@@ -418,6 +421,11 @@ class WebhookView(APIView):
     be.
     """
 
+    # We want to avoid CSRF checking when authenticating by user/password on
+    # this API endpoint so we can make a request like:
+    # curl -X POST -d "branches=branch" -u user:pass -e URL /api/v2/webhook/test-builds/{pk}/
+    authentication_classes = [CsrfExemptSessionAuthentication]
+
     VIEW_MAP = {
         Integration.GITHUB_WEBHOOK: GitHubWebhookView,
         Integration.GITLAB_WEBHOOK: GitLabWebhookView,