X-CSRF-Token request header is missing - 403 forbidden error

Please refer the attached patch will resolve this issue.

This patch is tested and working as expected.

Screenshots attached.
1. Before applying the patch
2. When patch is applied
3. After applying patch

Please open a merge request against the 11.x-dev branch. We can't test patches here any more.

"Other then" should be "other than".

I have added a merge request against the 11.x branch, including the existing patch changes,
and also fixed the typo issue. Please review.

Think simple test assertion can be added

Added test case for the new changes of Bearer check. Moving to NR.

@arunkumark FYI, I 'm already working on this issue , but feedback added here is not complete 24 hrs you should wait at least 24 hrs if someone already working .
I hope you 'll understand my concerns.

@shallini_jha if you were working on should assign to yourself

Thank you @smustgrave for providing this info I 'm not aware about it, from next time I 'll assign it to myself.

Feedback has been addressed believe

This would allow anyone to bypass REST module's CSRF protection just by adding 'bearer' in the header. I think this needs to be fixed in simple_oauth module, for example replacing the access check.

Moving to needs more info. If this is a bug at all, it would be against simple_oauth, but it sounds like it might be a client implementation issue (see above).

Given the last comment I don't think is a novice issue anymore and is up to the reporter to clarify

I was testing my API with Bruno when this became an issue for me too. In my case at least, the comment at https://drupal.stackexchange.com/a/307648 led me to the solution, i.e. Bruno now stored the Drupal session cookie and because of this, also expected the CSRF in the header, even though it didn't before when using Oauth.