Controllers performing data modification should make use of CSRF tokens via /session/token

💯

Quoting JSON:API:

    // Creation route.
    if ($resource_type->isMutable()) {
…
      $collection_create_route->setRequirement('_csrf_request_header_token', 'TRUE');
…
    }

— \Drupal\jsonapi\Routing\Routes::getRoutesForResourceType()

akhil babu → changed the visibility of the branch 3490087-controllers-performing-data to hidden.

akhil babu → changed the visibility of the branch 3490087-controllers-performing-data to active.

PHPUnit tests were already available for these routes and I have updated them to validate the CSRF token

experience_builder.api.content.update
experience_builder.api.config.patch
experience_builder.api.config.delete
experience_builder.api.config.post

Couldn't find any PHPUnit tests for the other routes. The cypress tests should be updated for them, I belive
experience_builder.api.preview
experience_builder.api.log_error
experience_builder.api.publish_all

This blocks ✨ Provide a way to create a new page Active .

Rebased.

Going to take a stab at the failure POST 403 /web/xb-field-form/node/1?.

Worked with Matt to fix the test - this looks good to me.

Looks beautiful! Just a nit about the class being wrongly/confusingly named now. But that will likely evolve further in the future, so not worth doing a follow-up MR IMHO 👍

Unpostponed ✨ Provide a way to create a new page Active 👍

Automatically closed - issue fixed for 2 weeks with no activity.