-
|
I am able to make API requests by providing only the Session Token. Is this working as intended? The docs clearly want me to use the anti CSRF tokens, for example here: https://blitzjs.com/docs/session-management#manual-api-requests. Please have a look at the demo repo below. It's just a bare blitz app with one api route created. A test script with CURL is included in the repo under |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments
-
|
I think it's working fine because you're using CURL, and you'd need the Anti-CSRF token when making a request from another domain (e.g. client/mobile app). |
Beta Was this translation helpful? Give feedback.
-
|
The anti CSRF token is only checked for NON-Get and NON-Head requests. Mutations and queries are POST requests, so they are secured by default. To secure api routes you have to manually add a check like this: const handler: BlitzApiHandler = async (req, res) => {
if (req.method !== "POST") {
res.status(405).setHeader("Content-Type", "text/plain").end("Method not allowed")
return
}
const session: SessionContext = await getSession(req, res)
....
}Clientside the fetch caller would look something like this:
const result = await Result.fromAsync(() =>
fetch("/api/my-route", { method: "POST", headers: { "anti-csrf": getAntiCSRFToken() } }).then(
(res) => {
if (!res.ok) {
throw new Error(`${res.status}: ${res.statusText}`)
}
}
)
) |
Beta Was this translation helpful? Give feedback.
I think it's working fine because you're using CURL, and you'd need the Anti-CSRF token when making a request from another domain (e.g. client/mobile app).