Community

Using Write API with cookie auth

Unsolved Technical Support
  • Mattias KlintM

    Hi

    I've managed to login to NodeBB via the API and I am using cookies to store the session.
    I can also read data from the API using this cookie to authenticate myself.

    But when I try to use the /api/v3/ write API functions to write stuff to NodeBB I get an error "Forbidden".
    If I use Bearer-authentication everything works ok.

    The documentation says cookie auth should be enough. But is this trure?

    OK: curl --request PUT -H "Authorization: Bearer 123456-b123-1234-1234-123123123123" --header 'Content-Type: application/json' --data '{"delta":1}' https://www.mynodebbthing.com/api/v3/posts/123/vote

    NOT OK: curl --request PUT --cookie "express.sid=s:kYz-N-SAiyq_DNtjPep6Msq3x2eEW_o.IXPlo3AaW5jxQCZ97G1rNvhjUU; Path=/; HttpOnly; Secure; SameSite=Lax" https://www.mynodebbthing.com/api/v3/posts/123/vote

    0
  • julianJ

    What do the server logs say?

    If your cookie authenticates properly my guess is you're not passing in a valid CSRF token. That is needed for cookie based authentication

    0
  • Mattias KlintM

    You were correct. I wasn't passing on a CSRF-token. Now everything works ok. The documentation about CSRF-tokens is very sketchy. It's documented in some places that you need tokens, but not in other places.

    From what I can find I can only get the CSRF-token from the /api/config endpoint. Are there other options?

    Also after working with this and finding basically no documentation on CSRF-tokens I am leaning on using bearer-auth to access the API instead. Which method is the most stable, bearer-auth or cookies?

    1
  • julianJ

    Correct, the only place to retrieve the csrf token is from the /api/config endpoint.

    Neither method is superior to the other. When we were building out the original api, we use cookie authentication as it was built in to the browser. With the advent of the write api, I added bearer token authentic to enable easier server-to-server communication.

    The read API is meant to be used with cookie authentication, the right API is meant to be used with bearer authentication, although both support both types.

    0

Suggested Topics

  • sebastian-marinescuS

    Using/Getting timestamp inside template

    Technical Support
    0 Votes
    5 Posts
    1116 Views

    barisB

    I don't think we have a hook for that, I was also looking at the source code and seems like Date.now() is already appended to the url here https://github.com/NodeBB/NodeBB/blob/master/public/src/client/account/edit.js#L189, is your version of nodebb lacking that code?

  • G

    Installed NodeBB but cookies issue and DB questions

    Technical Support
    0 Votes
    7 Posts
    1753 Views

    PitaJP

    @guts I meant no offense, I was just quickly providing a resource in the case that you hadn't looked at it before. Also, the docs that @yariplus linked are the outdated ones, whereas the ones I linked are more up-to-date.

    Hi, I use Litespeed actually for my other domains and they are on the same server so can I delete the config.json file in this case?

    I don't know anything about lightspeed, but I can tell you that config.json is completely separate from the reverse proxy you decide to use. config.json is generated by ./nodebb setup and is located in the nodebb directory.

    Do I have to use Ngynx in addition of Litespeed?

    Probably not, but you'll have to look up how to do the same things that nginx does when using our example config files and apply that to Lightspeed.

    I already have a database but where do I have to specify it during the setup?

    If you run ./nodebb setup after deleting config.json, it will ask you for settings for your database.

    How do I delete the config.json file?

    rm /path/to/nodebb/config.json

    My apologies but it becomes hard to follow... I followed a tuto on Youtube by entering some commands via SSH but this becomes hard to do so if someone can paste an exemple, it will be great and it will help.

    An example for what? Unfortunately it's difficult to reduce installation into quick examples.

  • T

    nodebb-plugin-write-api failing to load admin page

    Technical Support
    0 Votes
    7 Posts
    2335 Views

    T

    Thanks @julian! Works now. Seems like we'll have to rerun build each time we npm install a new plugin 😄

  • DarwinD

    New install what to use?

    Technical Support
    0 Votes
    1 Posts
    653 Views

    DarwinD

    I want to install nodebb on digitalocean..

    Which is the best OS and version ??

    which version of node.js ??

    Redis or Mongo ??

  • S

    Use Widget only on forum homepage

    Technical Support
    0 Votes
    13 Posts
    4615 Views

    deiden26D

    @yariplus My mistake. I was confusing a category page with the categories page. I now understand what you were suggesting, and it is a good solution. Thanks!

| | | |
Copyright © 2023 NodeBB | Contributors