BAD CSRF on user modification

tschuerle · July 6, 2020, 2:19pm

Hi everyone,

we running in ["BAD CSRF"] Errors (403, Forbidden) at the moment.
Request with API-Key looks like:
Url: https://<domain>/u/tschuerle.json?api_key=<valid key>&api_username=tschuerle
Body: { "hide_profile_and_presence": true }
Method: PUT
Headers: "Content-Type" to "application/json"

According to the web-hook logs It worked until April. At the moment we are running the lastest stable version 2.5.0.

Usecase: Set profiles to private after user-creation via web-hook and let the user’s decide on their own, if they want to make their profile public.

Any hints?

Thanks,
Thomas

Falco · July 6, 2020, 3:08pm

API Keys now need to be set as headers instead of URL parameters. Check docs.discourse.org for details.

tschuerle · July 6, 2020, 3:20pm

Oh, I missed that. It’s working with that
Thank you @Falco

system · August 5, 2020, 3:20pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Need Help updating profile info via API Dev rest-api	7	320	May 4, 2024
"BAD CSRF" when executing PUT using API, curl, and PHP Dev rest-api	6	2221	May 4, 2024
Adding user to group from API gets "BAD CSRF" Dev rest-api	4	2538	July 19, 2017
API: cannot update user Dev rest-api	13	2212	June 3, 2017
I'm getting bad CSRF error even after setting api keys and usernames to my headers General	2	839	April 16, 2022

BAD CSRF on user modification

Related topics