ckan icon indicating copy to clipboard operation
ckan copied to clipboard
verified publisher icon ckan

POST requests to API don't work with CSRF, tests bypass CSRF protection

Open amercader opened this issue 3 years ago • 0 comments

CKAN version 2.10

Describe the bug The API is completely unusable since https://github.com/ckan/ckan/pull/7058 was merged.

Any POST API call (and presumably PUT, DELETE etc) returns a 400 Bad Request: The CSRF token is missing error, which in hindsight makes sense because we removed the @csrf.exempt decorator from the api.action endpoint. We'll need to see how we can implement:

  • API call + Cookie authentication = CSRF enabled (to support current frontend API usage)
  • API call + Header authentication = CSRF disabled (to support external API calls)

But more worryingly,I found out that the tests are happily ignoring all these issues, by bypassing CSRF protection entirely.

https://github.com/ckan/ckan/blob/367fed2fa572e896c5eb703db9c663e097133e41/ckan/tests/helpers.py#L271-L272

This might made sense while we were implementing the feature, but I think we need to discuss what we want going forward.

amercader avatar Sep 22 '22 11:09 amercader