I use the JSON:API to have a Vue3 Frontend for Drupal 10.x. The Frontend uses fetch to execute calls against the Drupal REST/JSONAPI endpoints. Everything works as expected. ONLY the logout behaves different.
To be honest it works perfect in Postman. The call POST `{{base_url}}/user/logout?_format=json&token={{logout_token}}&csrf_token={{logout_token}}` returns with 204. Everything is fine. If I do the same call from my Vue3 app, it always fails with the message: `{"message":"\u0027csrf_token\u0027 URL query argument is invalid."}`
First of all, WHY is there an access check if someone wants to logout. It feels crazy, that you can forbid that. Anyways the CsrfAccessCheck::access fails, when I use the Vue3 App. I tracked it down to this check:
MetadataBag.php
public function getCsrfTokenSeed() {
if (isset($this->meta[static::CSRF_TOKEN_SEED])) {
return $this->meta[static::CSRF_TOKEN_SEED];
}
}
where in case of the Vue3 call, this is always non existend. With Postman it is. There is a value there, but with the Vue3 app it's not and therefore $seed = null; and thus it will fail to logout.
The thing is, when I login I checked via debugger, that
public function setCsrfTokenSeed($csrf_token_seed) {
$this->meta[static::CSRF_TOKEN_SEED] = $csrf_token_seed;
}
is used and a value is set. Even if the very next (manual) call from my Frontend is the logout the value is not there anymore and the logout fails.
I may have to add, that I use the https://www.drupal.org/project/jwt β Project to perform the login. Which works like a charm.
Has anybody an Idea why this could be failing? Why is the CSRF_TOKEN_SEED key of the ->meta attributes empty, even if the current user is correctly logged in?
Any idea would greatly help.
Active
10.2 β¨
Last updated