Autocomplete feature uses a custom controller to provide address results in JSON format. We should prevent direct access to this controller somehow and forbid possible exploitation of API resources...
The initial idea was to use Drupal's CSRF token for this, but sadly, it doesn't work for anonymous users (users without session). Some related CSRF issues:
https://www.drupal.org/project/drupal/issues/1803712
π
Allow form tokens to be used on anonymous forms in some cases
Needs work
https://www.drupal.org/project/drupal/issues/2730351
π
CSRF check always fails for users without a session
Needs work
Research a bit on how this could be achieved. Maybe some sort of custom CSRF token/generator?
Active
1.0
Code
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
A token can be easily harvested from a public page where nobody needs to be logged in and then used to authorize automated requests to the json endpoint. How would we handle rotating that token? What happens when it's rotated between user requests?