I don't think we have a hook for that, I was also looking at the source code and seems like Date.now() is already appended to the url here https://github.com/NodeBB/NodeBB/blob/master/public/src/client/account/edit.js#L189, is your version of nodebb lacking that code?
Using Write API with cookie auth
-
Hi
I've managed to login to NodeBB via the API and I am using cookies to store the session.
I can also read data from the API using this cookie to authenticate myself.But when I try to use the /api/v3/ write API functions to write stuff to NodeBB I get an error "Forbidden".
If I use Bearer-authentication everything works ok.The documentation says cookie auth should be enough. But is this trure?
OK: curl --request PUT -H "Authorization: Bearer 123456-b123-1234-1234-123123123123" --header 'Content-Type: application/json' --data '{"delta":1}' https://www.mynodebbthing.com/api/v3/posts/123/vote
NOT OK: curl --request PUT --cookie "express.sid=s:kYz-N-SAiyq_DNtjPep6Msq3x2eEW_o.IXPlo3AaW5jxQCZ97G1rNvhjUU; Path=/; HttpOnly; Secure; SameSite=Lax" https://www.mynodebbthing.com/api/v3/posts/123/vote
-
You were correct. I wasn't passing on a CSRF-token. Now everything works ok. The documentation about CSRF-tokens is very sketchy. It's documented in some places that you need tokens, but not in other places.
From what I can find I can only get the CSRF-token from the /api/config endpoint. Are there other options?
Also after working with this and finding basically no documentation on CSRF-tokens I am leaning on using bearer-auth to access the API instead. Which method is the most stable, bearer-auth or cookies?
-
Correct, the only place to retrieve the csrf token is from the /api/config endpoint.
Neither method is superior to the other. When we were building out the original api, we use cookie authentication as it was built in to the browser. With the advent of the write api, I added bearer token authentic to enable easier server-to-server communication.
The read API is meant to be used with cookie authentication, the right API is meant to be used with bearer authentication, although both support both types.