I was looking for an API feature that, for a given email address, added a user to a group or two, inviting them to the forum if they didn’t already have an account. I couldn’t find that feature, but noticed that this is exactly what the ‘bulk upload’ invite feature does. This isn’t documented in the API, but is what the browser does.
So I did the same, using the following php code to POST a csv file:
$body = "--ossifrage\r Content-Disposition: form-data; name=\"type\"\r \r csv\r --ossifrage\r Content-Disposition: form-data; name=\"files\"; filename=\"test.csv\"\r Content-Type: text/csv\r \r $order_email,$group_names\r \r \r --ossifrage--\r "; $r=wp_remote_post( 'https://club.tidalcycles.org/invites/upload_csv.json', array( 'method' => 'POST', 'headers' => array('Content-Type' => 'multipart/form-data; boundary=ossifrage', 'Api-key' => '(redacted)', 'Api-Username' => 'yaxu'), 'body' => $body ) );
This worked great for a couple of months, but has recently stopped working, with the following error in the discourse logs:
Can't verify CSRF token authenticity.
Is this an bug, as I should be authenticated via the API key? Or am I on to a loser trying to use undocumented parts of the API?