JSONParser exception for POST requests with anti-CSRF token

[eireworm]

I was wondering if something can see something i'm not.

I have some class-based APIViews like below:

class Customers(APIView):
    renderer_classes = [JSONRenderer]
    authentication_classes = [SessionAuthentication]
    permission_classes = [IsAuthenticated]

        def get(self, request):
            customers = CustomerModel.objects.all()
            serializer = CustomerSerializer(customers, many=True)
            return Response(serializer.data, status=HTTP_200_OK)


        def post(self, request):
            data = JSONParser().parse(request)
            serializer = CustomerSerializer(data=data)

            if serializer.is_valid():
                serializer.save()
                return Response(serializer.data, status=HTTP_201_CREATED)
            return Response(serializer.errors, status=HTTP_400_BAD_REQUEST)

I also have a seperate view for for individual 'customer' objects that accepts GET, PUT, and DELETE requests. All have functioning session authentication and CSRF protection, except the POST method. When a POST method is used anywhere, the JSONParser().parse(request) function throws a Bad request /customer/ and returns the following JSON response:

{
    "detail": "JSON parse error - Expecting value: line 1 column 1 (char 0)"
}

I was trying to troubleshoot and I confirmed it works perfectly fine with all other 'safe' and 'unsafe' HTTP methods. It's only affecting the POST method. The CSRF token is set as a cookie and included in the header as per the documentation and it works correctly with other methods so I know that's not the issue.

I created the following CsrfExemptSessionAuthentication athentication class that I found on stackoverflow and applied that:

class CsrfExemptSessionAuthentication(SessionAuthentication):
    def enforce_csrf(self, request):
        return  # To not perform the csrf check previously happening

With this CSRF exempt session authentication class, the authenticated POST method works perfectly again. I used the same JSON submission in th ebody for all requests (working requests and failed requests) so I know the JSON is formatted correctly.

For now, the CSRF exempt class will get me by but i'll need to add this in eventually and I cannot figure out what the problem is. Am I missing something?