BAD CSRF on user modification

tschuerle · July 6, 2020, 2:19pm

Hi everyone,

we running in ["BAD CSRF"] Errors (403, Forbidden) at the moment.
Request with API-Key looks like:
Url: https://<domain>/u/tschuerle.json?api_key=<valid key>&api_username=tschuerle
Body: { "hide_profile_and_presence": true }
Method: PUT
Headers: "Content-Type" to "application/json"

According to the web-hook logs It worked until April. At the moment we are running the lastest stable version 2.5.0.

Usecase: Set profiles to private after user-creation via web-hook and let the user’s decide on their own, if they want to make their profile public.

Any hints?

Thanks,
Thomas

Falco · July 6, 2020, 3:08pm

API Keys now need to be set as headers instead of URL parameters. Check docs.discourse.org for details.

tschuerle · July 6, 2020, 3:20pm

Oh, I missed that. It’s working with that
Thank you @Falco

system · August 5, 2020, 3:20pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
"BAD CSRF" when executing PUT using API, curl, and PHP dev	5	2008	October 5, 2021
Adding user to group from API gets "BAD CSRF" dev	4	2437	July 19, 2017
API: cannot update user dev	13	2119	June 3, 2017
I'm getting bad CSRF error even after setting api keys and usernames to my headers General	2	741	April 16, 2022
Can't verify CSRF token authenticity while creating topics dev rest-api	1	931	November 4, 2022

BAD CSRF on user modification

Related Topics