CSRF Token for Api Auth with Cross Domain

Rlron · September 2, 2020, 11:23am

Hello,

we have a problem with authentification. The validatePassword method is kinda slow, and we want to change our basicAuth to session based csrf. I’ve read, that this is only possible, if the api (kirby) calls came from the same site/domain.

Therefore, session-based authentication works best when you make API calls from the frontend of the same site/domain.

Now, we’re sending the unsecure base64 auth for every api call in the frontend, which is not the way to go.

Is there a solution to do this from another domain?
We’ve created an API call to genereate a csrf token to work with, but sending this csrf token via the X-CSRF Header causes an 403 (Unauthenticated) error.

Rlron · September 2, 2020, 11:36am

'api' => [
    'allowInsecure' => true,
   // 'basicAuth' => true, //what should I do with this, if csrf is set?
        [
            'pattern' => '/randomApiBlabla',
            'method' => 'GET',
            'auth' => true,
            'action' => function() {
                return json_encode(csrf());
            }
        ],
    ]
],

Topic		Replies	Views
Multidomain setup API endpoints Questions 🤔	3	338	October 19, 2022
Disable CSRF for a route Solved ✅	2	227	April 24, 2021
Remote Authentication with JSON API Questions 🤔	1	718	April 24, 2017
Can i provide an api via subdomain? Solved ✅	1	764	August 3, 2015
Kirby ajax call from subdomain -> cross domain error	7	1109	February 17, 2022

CSRF Token for Api Auth with Cross Domain

Related Topics