Upload File API - 403 Forbidden

clementneveu

Hello to you,

I'm trying to upload an image via API POST api/post/upload but I get a 403 Forbidden error on every request.
I have my token in the Headers via Authorization, my _uid which is indeed in params and in my data, I have a form-data with

files: "d48eb070-d282-44ae-ac0d-b1b0517c4969.jpg"
ID: 24

I don't understand what is missing. Can you help me ?
THANKS !

<baris>

Sounds like the csrf_token is missing.

clementneveu

Thank's you for your response @baris

Where I found the csrf_token ?

<baris>

You can get it from making a get request to /api/config. Take a look at this post that makes a upload with a csrf token https://community.nodebb.org/post/85661

clementneveu

Thank you @baris

Can you help me, how to get cookie from Javascript ?
We send GET /api/config and after we can't access to cookie for the requesst ?

<baris>

If you are using javascript you can do a get request to api/config and use the csrf returned from there, or you can use the config.csrf_token

oplik0

@clementneveu if you're using fetch API, you can get cookies from the headers:

const res = await fetch(`${url}/api/config`);
const cookies = res.headers.get("set-cookie");

But all you'll get from there is the session id.

You can get the csrf token from the response body (parsing it as JSON):

const config = await res.json();
const csrf_token = config.csrf_token

clementneveu

@baris @oplik0

To get the csrf_token with the config api, no problem for me !

But the request failed when I try to uplaod example :

var myHeaders = new Headers();
myHeaders.append("x-csrf-token", "905c19cde3c0a03e76bed59be221c1803b45d8...XXX");
myHeaders.append("Authorization", "Bearer 3e0ae6ca...XXX");

var formdata = new FormData();
formdata.append("files[]", fileInput.files[0], "icon.png");

var requestOptions = {
  method: 'POST',
  headers: myHeaders,
  body: formdata,
  redirect: 'follow'
};

fetch("https://XXX.com/api/post/upload?_uid=53", requestOptions)
  .then(response => response.text())
  .then(result => console.log(result))
  .catch(error => console.log('error', error));

I have 403 Forbidden error.

julian

@clementneveu what do you see in the server side? Any errors emitted?

clementneveu

I have this error:

2023-08-16T09:41:22.719Z [8080/63648] - [31merror[39m: POST /api/post/upload
invalid csrf token

julian

@clementneveu said in Upload File API - 403 Forbidden:

To get the csrf_token with the config api, no problem for me !

How are you getting this token? Can you show us the code?