Contrib.social

Authentication Not Performed via x-csrf-token.

Open on Drupal.org →
Created on 21 February 2024, 10 months ago

Problem/Motivation

Despite including the `x-csrf-token` in the request header when using the webform REST to submit a form, the response is 200 even when the `x-csrf-token` is not included. This behavior contradicts the expectation that a valid `x-csrf-token` is required for successful submissions.

Steps to reproduce

1. Grant permission to anonymous users for "Webform Submit POST" under "RESTful Web Services" at `/admin/people/permissions`.
2. Enable "Webform Submit" at `/admin/config/services/rest`.
3. Execute the command `curl -X POST -H "Content-Type: application/json" -H "X-CSRF-Token: {x_csrf_token}" -d '{"webform_id": "{webform_name}", "message": "{message_text}"}' {website_url}/webform_rest/submit`.
4. Also, execute the command without `x-csrf-token` in the header and observe the response.

Proposed resolution

Investigate and modify the system to ensure that the submission only succeeds (returns 200) when a valid `x-csrf-token` is included in the request.

Remaining tasks

- Identify the cause of the issue.
- Implement necessary changes to enforce `x-csrf-token` validation.
- Test to confirm that the issue is resolved.

User interface changes

N/A

API changes

This change will impact the API behavior to correctly validate `x-csrf-token` in the request header.

Data model changes

N/A

🐛 Bug report
Status

Active

Version

4.1

Component

Code

Created by

sahksas

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @sahksas
  • Comment 10 months ago
    sahksas
  • Comment 10 months ago
    🇦🇺Australia imclean Tasmania
  • Comment 5 months ago
    🇮🇳India dev2.addweb

    Hi, I have checked with two different condition

    1. Without Grant permission to anonymous users for "Webform Submit POST"

     curl -X POST -H "Content-Type: application/json" -H "X-CSRF-Token:gtoonH1Rj0gtCJzmOLW-6E1KkWe6ldb5KgDRgz97z5A" -d '{"webform_id": "inquiry", "name": "demo name", email="demo@gmail.com"}' http://lando-d10.lndo.site:8000/webform_rest/submit
{"message":"The \u0027restful post webform_rest_submit\u0027 permission is required."}

    For make post request you need to pass cookie also with `x-csrf-token`

    curl --location 'http://lando-d10.lndo.site:8000/webform_rest/submit?_format=json' \
--header 'Content-Type: application/json' \
--header 'X-CSRF-TOKEN: gtoonH1Rj0gtCJzmOLW-6E1KkWe6ldb5KgDRgz97z5A' \
--header 'Cookie: SESS93092389ae524832432597fba32d9747=boHyZiQHKHMPSZfQpvt6esNA0xApZhn2fQqvttTVJ678dePs' \
--data-raw '{
   "webform_id": "inquiry",
    "email": "demo@gmail.com",
    "name": "demo name",
}'

    2. After grant permission to anonymous users you can submit post request but it will not validate `x-csrf-token` any more.

  • Comment 2 months ago
    🇺🇸United States DamienMcKenna NH, USA

    I'm seeing a similar issue that's equally puzzling.

    It's a GET request to webform_rest/WEBFORMID/elements, using basic_auth with a user account that has the "restful get webform_rest_elements" permission, the API request returns a 403 with the message "The 'restful get webform_rest_elements' permission is required." However, looking at dblog I see a message for the 403 reaction but it shows the user was logged in, the API failure was not for the anonymous user!

  • Comment 2 months ago
    🇺🇸United States DamienMcKenna NH, USA

    In the end I deleted the user account and recreated it - same credentials, same role, and it worked. So something was borked somewhere.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024