Defect #33029
closed
API POST requests fail with 422 Can't verify CSRF token authenticity. on 3.4.13, 4.0.6 and 4.1.0
0%
Description
I have been tasked with making our main application work with a newer version of redmine than it did before.
The old one was ancient. Our current one is 3.4.13 in a docker container.
I have tried the latest three versions localhost. The behave the same in this regard:
When I make POST requests using HTTParty or even curl, I get a 422 response code with the message "Can't verify CSRF token authenticity"
This is my request:
HTTParty.post(
"http://localhost:3000/issues.json&key=665f63b1c6a66a3a103207c59241ea9aefbe87c4",
timeout: @options[:timeout],
headers: {'Content-Type' => 'application/json'},
body: somehash.to_json
)In the redmine source code ApplicationController it calls protect_from_forgery. I don't see any exceptions on this like I would expect with api-requests.
I thought CSRF protection was only meant for posted forms and the like. I may be wrong on that. How would I know what to send as a CSRF-token when making api-requests without prior requests?
I read the API reference. I didn't see anything on the matter.
What am I missing?
Another thing:
I have tried putting the key in the body with the json key "key" and as a header with the key name 'X-Redmine-API-Key' like specified. None of those are accepted it seems.
I can only make it accept the key if passed as a query parameter for some reason.
Files
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
