Details
-
Bug
-
Resolution: Fixed
-
Medium
-
4.5.0
-
None
-
Yes
Description
Steps to reproduce
- Install Ibexa DXP v4.5
- Configure JWT auth - https://doc.ibexa.co/en/4.5/infrastructure_and_maintenance/security/development_security/#jwt-authentication
- Login via API to the platform - https://doc.ibexa.co/en/4.5/api/rest_api/rest_api_authentication/#usage-example
- Try to use any endpoint where the method is not one of them GET, HEAD, OPTIONS, e.g. https://doc.ibexa.co/en/latest/api/rest_api/rest_api_reference/rest_api_reference.html#product-catalog-create-attribute
Result
In response to the request, we get a 401 error with the message:
"The User does not have the 'POST /api/ibexa/v2/product/catalog/attributes' 'Missing or invalid CSRF token' permission"
Expected Result
When using JWT the CSRF token should not be validated
Note
After a short analysis, it turns out that this subscriber ibexa/cart/src/bundle/EventSubscriber/SecurityLoginSubscriber.php starts sessions to check if there are any products in the session basket, which means that CSRFListener does not skip