Since version 3.4 Services module requires sending of X-CSRF-Token header when methods which use authentication and POST/PUT/DELETE are called.
For more information read this:
https://drupal.org/node/2012982

It seems that the Services Client still don't support the X-CSRF-Token header which make it uncompilable with latest versions of Services module.

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

boyan.borisov’s picture

Status: Active » Needs review
FileSize
1.44 KB

I made a patch which add X-CSRF-Token header support. Also I added a Drupal variable called 'services_client_connection_token_enabled' which default value is '1'. If you want the services client module to be able to work with Services module <= 3.3 you should set the variable to '0'.

mhrabovcin’s picture

Thanks for patch. I've changed it a little bit to support per connection setting rather than global setting as your site can be connected to two different sites while one is on 3.3 and other 3.5.

boyan.borisov’s picture

Status: Needs review » Needs work

Hi mhrabovcin,
I agree with you that it will be nice to have usage of the token as setting.
The problem in your patch is that this setting is available only in case when the Session Authentication is enabled. But what about the client don't use a authentication at all...
I think that the setting should be part of the connection itself. May be a new column in the services_client_connection table? What is your opinion? I am ready to make the patch if you think that it makes sense.

mhrabovcin’s picture

I think that X-CSFR-Token is limited only to session authentication. When you're using OAuth or Basic auth, token isn't required.

boyan.borisov’s picture

Status: Needs work » Needs review

mhrabovcin,

You are completely right ;)

boyan.borisov’s picture

Status: Needs review » Reviewed & tested by the community

Actually I tested your patch and it works fine. Waiting to see it in the dev vesrion...

boyan.borisov’s picture

Hi @mhrabovcin,

Is there any stopper to apply the patch on the dev branch?

mhrabovcin’s picture

Sorry it slipped out of my mind.

Committed.

http://drupalcode.org/project/services_client.git/commit/afe26135ef7df7d...

There is also new version 2.x which contains same patch.

mhrabovcin’s picture

Status: Reviewed & tested by the community » Closed (fixed)
ndobromirov’s picture

Priority: Critical » Minor
Status: Closed (fixed) » Reviewed & tested by the community
FileSize
2.24 KB

It works great!
This is just a typos fix for the CSRF. It was misspelled in some places as CSFR :).

Uploading a patch.

mhrabovcin’s picture

Status: Reviewed & tested by the community » Fixed

Your patch is committed to 7.x-1.x. Correct version has been added to 7.x-2.x originally. Thanks!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.