Uploaded image for project: 'Ibexa IBX'
  1. Ibexa IBX
  2. IBX-6044

REST API with JWT authentication not working

    XMLWordPrintable

Details

    • Yes

    Description

      Steps to reproduce

      1. Install Ibexa DXP v4.5
      2. Configure JWT auth  - https://doc.ibexa.co/en/4.5/infrastructure_and_maintenance/security/development_security/#jwt-authentication
      3. Login via API to the platform  - https://doc.ibexa.co/en/4.5/api/rest_api/rest_api_authentication/#usage-example
      4. Try to use any endpoint where the method is not one of them GET, HEAD, OPTIONS, e.g.  https://doc.ibexa.co/en/latest/api/rest_api/rest_api_reference/rest_api_reference.html#product-catalog-create-attribute

       

      Result

      In response to the request, we get a 401 error with the message:

      "The User does not have the 'POST /api/ibexa/v2/product/catalog/attributes' 'Missing or invalid CSRF token' permission"

       

      Expected Result

      When using JWT the CSRF token should not be validated

       

      Note

      After a short analysis, it turns out that this subscriber ibexa/cart/src/bundle/EventSubscriber/SecurityLoginSubscriber.php starts sessions to check if there are any products in the session basket, which means that CSRFListener does not skip

      Designs

        Attachments

          Activity

            People

              Unassigned Unassigned
              mateusz.debinski@ibexa.co Mateusz Dębiński
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: