hjalali
May 31, 2020, 10:31pm
1
I have a very simple function that “should” work but it is not for some reason. Can someone help me understand what we are doing wrong.
We keep getting the “BAD CSRF” error.
public function changeName()
{
$url = 'https://www.website.com/{username}.json';
$data = ['name'=>'James', 'api_key'=>DISCOURSE_API, 'api_username'=>'system'];
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "PUT");
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type:multipart/form-data'));
curl_setopt($ch, CURLOPT_POSTFIELDS,http_build_query($data));
echo $response = curl_exec($ch);
if (!$response)
{
return false;
}
}
By the way I already tried moving the api_key and api_username to the URL above as GET but no difference.
1 Like
simon
May 31, 2020, 11:49pm
2
You need to put the Api-Key and Api-Username values in the request header. There’s a curl example near the end of this topic that could be helpful: Sync SSO user data with the sync_sso route .
5 Likes
hjalali
June 1, 2020, 12:16am
3
Thanks a lot! That did the trick.
For anyone else with the same problem:
$url = 'https://www.website.com/{username}.json';
$data = ['name'=>'George'];
$api_key = CUSTOM_DISCOURSE_API;
$headers = array("Content-Type: multipart/form-data;","Api-Key: $api_key","Api-Username: system",);
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "PUT");
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers );
curl_setopt($ch, CURLOPT_POSTFIELDS,http_build_query($data));
$result = curl_exec( $ch );
if ( curl_errno( $ch ) !== 0 ) {
// Handle error, call curl_close( $ch ) and return.
}
curl_close( $ch );
$discourse_user = json_decode( $result );
4 Likes
hjalali
June 1, 2020, 12:29am
4
Just to add to that, if someone needs to update a “user_field” replace the $data with this:
$data = ['user_fields' => ['1' => 'Something']];
The number “1” being the first user_field I created (as they are assigned by number not name).
2 Likes
brospars
October 5, 2021, 9:32am
5
Since when it’s mandatory ?
blake
October 5, 2021, 3:39pm
6
On April 6th, 2020 we dropped support for all non-HTTP header based authentication (excluding some rss, mail-receiver, and ics routes). This means that API requests that have an api_key and api_username in the query params or in the HTTP body of the request will soon stop working.
Sorry about any issues this caused, we did do a slow roll out of this change and notified people the best we could, but its hard to catch every deprecation use.
2 Likes