Unsolved Using Write API with cookie auth


  • Hi

    I've managed to login to NodeBB via the API and I am using cookies to store the session.
    I can also read data from the API using this cookie to authenticate myself.

    But when I try to use the /api/v3/ write API functions to write stuff to NodeBB I get an error "Forbidden".
    If I use Bearer-authentication everything works ok.

    The documentation says cookie auth should be enough. But is this trure?

    OK: curl --request PUT -H "Authorization: Bearer 123456-b123-1234-1234-123123123123" --header 'Content-Type: application/json' --data '{"delta":1}' https://www.mynodebbthing.com/api/v3/posts/123/vote

    NOT OK: curl --request PUT --cookie "express.sid=s:kYz-N-SAiyq_DNtjPep6Msq3x2eEW_o.IXPlo3AaW5jxQCZ97G1rNvhjUU; Path=/; HttpOnly; Secure; SameSite=Lax" https://www.mynodebbthing.com/api/v3/posts/123/vote

  • GNU/Linux Admin

    What do the server logs say?

    If your cookie authenticates properly my guess is you're not passing in a valid CSRF token. That is needed for cookie based authentication


  • You were correct. I wasn't passing on a CSRF-token. Now everything works ok. The documentation about CSRF-tokens is very sketchy. It's documented in some places that you need tokens, but not in other places.

    From what I can find I can only get the CSRF-token from the /api/config endpoint. Are there other options?

    Also after working with this and finding basically no documentation on CSRF-tokens I am leaning on using bearer-auth to access the API instead. Which method is the most stable, bearer-auth or cookies?

  • GNU/Linux Admin

    Correct, the only place to retrieve the csrf token is from the /api/config endpoint.

    Neither method is superior to the other. When we were building out the original api, we use cookie authentication as it was built in to the browser. With the advent of the write api, I added bearer token authentic to enable easier server-to-server communication.

    The read API is meant to be used with cookie authentication, the right API is meant to be used with bearer authentication, although both support both types.


Suggested Topics

| | | |