rest - POST Requests for CakePHP 3 API are not working

Question

I am developing an API using CakePHP 3.x documentation. To develop this API I am using their official documentation: https://book.cakephp.org/3.0/en/development/rest.html

When I try to access my api using GET request on url http://localhost/healthcare_portal/eapi/applicants/index.json, I get follow expected json result

{
    "applicants": [
        {
            "applicant_id": 1,
            "name": "Manender"
        },
        {
            "applicant_id": 2,
            "name": "mayank"
        }
    ]
}

But when I access my api using POST request on same url http://localhost/healthcare_portal/eapi/applicants/index.json, I get CSRF Mismatch Token Error. Response from API in this case is

{
    "message": "Missing CSRF token cookie",
    "url": "/applicants/index.json",
    "code": 403,
    "file": "/opt/lampp/htdocs/healthcare_portal/eapi/vendor/cakephp/cakephp/src/Http/Middleware/CsrfProtectionMiddleware.php",
    "line": 191
}

I have tried other alternatives as adding

 $input = (array) $this->request->input('json_decode', true);

in my controller's action but this is I get same error on post request. If anyone faced same issue, please help me in getting a breakthrough.

Answer 1

As mentioned in CSRF token mismatch in post request in 3.6 version, the default app template lately has the CSRF protection middleware enabled by default, requiring CSRF tokens and cookies to be sent alongside non-GET requests.

You API should most likely require some form of authentication, and in case that authentication does not rely on cookies, or (HTTP) Basic authentication, or any other form of authentication which browsers/clients will automatically send/perform with HTTP requests, then you don't need CSRF protection, as CSRF would not be possible.

If you don't need CSRF protection

If you really don't need CSRF protection for your API, then you can disable it, for example by using a custom middleware handler that checks the request URL or route and applies the CSRF middleware conditionally, or by applying the middleware on routing scopes, so that you can exclude your API scope, see Cakephp 3.5.6 disable CSRF Middleware for controller.

If you do need CSRF protection

If your API uses a form of authentication that is prone to CSRF, then you should figure out a way to serve the cookies (the middleware will automatically set the cookie on GET requests) and CSRF tokens (they are available on the request object like $request->getParam('_csrfToken')) to your clients, so that they can send them alongside their requests.

See also

• Cookbook > Middleware > Cross Site Request Forgery (CSRF) Middleware
• https://security.stackexchange.com/questions/166724/should-i-use-csrf-protection-on-rest-api-endpoints