Try CSRF Exempt auth/token

one_trip/lib/api/consts.dart

@@ -1,4 +1,4 @@
-// const String baseURL = "https://groceries.alaevens.ca";
+const String baseURL = "https://groceries.alaevens.ca";
-const String baseURL = "http://192.168.0.16:8000";
+// const String baseURL = "http://192.168.0.16:8000";
 
 const int resultsPerPage = 4;

one_trip_api/one_trip_api/settings/base.py

@@ -46,6 +46,7 @@ INSTALLED_APPS = [
 ]
 
 MIDDLEWARE = [
+    'users.middleware.ExemptCSRFMiddleware',
     'django.middleware.security.SecurityMiddleware',
     'django.contrib.sessions.middleware.SessionMiddleware',
     'corsheaders.middleware.CorsMiddleware',

one_trip_api/users/middleware.py

@@ -0,0 +1,15 @@
+# https://stackoverflow.com/a/41728627/13538080
+
+from django.http import request
+
+class ExemptCSRFMiddleware:
+    def __init__(self, get_response):
+        self.get_response = get_response
+
+    def __call__(self, request):
+        
+        if request.path_info == "/auth/token":
+            setattr(request, '_dont_enforce_csrf_checks', True)
+
+        response = self.get_response(request)
+        return response