Logout via REST does not work because of CSRF Check.

Created on 13 February 2024, 10 months ago
Updated 14 February 2024, 10 months ago

I use the JSON:API to have a Vue3 Frontend for Drupal 10.x. The Frontend uses fetch to execute calls against the Drupal REST/JSONAPI endpoints. Everything works as expected. ONLY the logout behaves different.

To be honest it works perfect in Postman. The call POST `{{base_url}}/user/logout?_format=json&token={{logout_token}}&csrf_token={{logout_token}}` returns with 204. Everything is fine. If I do the same call from my Vue3 app, it always fails with the message: `{"message":"\u0027csrf_token\u0027 URL query argument is invalid."}`

First of all, WHY is there an access check if someone wants to logout. It feels crazy, that you can forbid that. Anyways the CsrfAccessCheck::access fails, when I use the Vue3 App. I tracked it down to this check:

MetadataBag.php

  public function getCsrfTokenSeed() {
    if (isset($this->meta[static::CSRF_TOKEN_SEED])) {
      return $this->meta[static::CSRF_TOKEN_SEED];
    }
  }

where in case of the Vue3 call, this is always non existend. With Postman it is. There is a value there, but with the Vue3 app it's not and therefore $seed = null; and thus it will fail to logout.

The thing is, when I login I checked via debugger, that

  public function setCsrfTokenSeed($csrf_token_seed) {
    $this->meta[static::CSRF_TOKEN_SEED] = $csrf_token_seed;
  }

is used and a value is set. Even if the very next (manual) call from my Frontend is the logout the value is not there anymore and the logout fails.

I may have to add, that I use the https://www.drupal.org/project/jwt β†’ Project to perform the login. Which works like a charm.

Has anybody an Idea why this could be failing? Why is the CSRF_TOKEN_SEED key of the ->meta attributes empty, even if the current user is correctly logged in?

Any idea would greatly help.

πŸ’¬ Support request
Status

Active

Version

10.2 ✨

Component
AjaxΒ  β†’

Last updated about 1 hour ago

Created by

πŸ‡©πŸ‡ͺGermany ro-no-lo

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Production build 0.71.5 2024