Using Write API with cookie auth

Locked Unsolved Technical Support
  • Hi

    I've managed to login to NodeBB via the API and I am using cookies to store the session.
    I can also read data from the API using this cookie to authenticate myself.

    But when I try to use the /api/v3/ write API functions to write stuff to NodeBB I get an error "Forbidden".
    If I use Bearer-authentication everything works ok.

    The documentation says cookie auth should be enough. But is this trure?

    OK: curl --request PUT -H "Authorization: Bearer 123456-b123-1234-1234-123123123123" --header 'Content-Type: application/json' --data '{"delta":1}'

    NOT OK: curl --request PUT --cookie "express.sid=s:kYz-N-SAiyq_DNtjPep6Msq3x2eEW_o.IXPlo3AaW5jxQCZ97G1rNvhjUU; Path=/; HttpOnly; Secure; SameSite=Lax"

  • What do the server logs say?

    If your cookie authenticates properly my guess is you're not passing in a valid CSRF token. That is needed for cookie based authentication

  • You were correct. I wasn't passing on a CSRF-token. Now everything works ok. The documentation about CSRF-tokens is very sketchy. It's documented in some places that you need tokens, but not in other places.

    From what I can find I can only get the CSRF-token from the /api/config endpoint. Are there other options?

    Also after working with this and finding basically no documentation on CSRF-tokens I am leaning on using bearer-auth to access the API instead. Which method is the most stable, bearer-auth or cookies?

  • Correct, the only place to retrieve the csrf token is from the /api/config endpoint.

    Neither method is superior to the other. When we were building out the original api, we use cookie authentication as it was built in to the browser. With the advent of the write api, I added bearer token authentication to enable easier server-to-server communication.

    The read API is meant to be used with cookie authentication, the write API is meant to be used with bearer authentication, although both support both types.

  • julianJ julian forked this topic on
  • Can anyone send me a complete example of how to use the "csrf token" received by calling the /api/config endpoint?

  • Please use the forked topic

  • julianJ julian locked this topic on

Suggested Topics