Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Since version 3.4 Services module requires sending of X-CSRF-Token header when methods which use authentication and POST/PUT/DELETE are called.
For more information read this:
https://drupal.org/node/2012982
It seems that the Services Client still don't support the X-CSRF-Token header which make it uncompilable with latest versions of Services module.
Comment | File | Size | Author |
---|---|---|---|
#10 | services_client-csrf_token_support-2140101-10.patch | 2.24 KB | ndobromirov |
#2 | csrf_token_support-2140101-2.patch | 2.77 KB | mhrabovcin |
#1 | csrf_token_support-2140101-1.patch | 1.44 KB | boyan.borisov |
Comments
Comment #1
boyan.borisov CreditAttribution: boyan.borisov commentedI made a patch which add X-CSRF-Token header support. Also I added a Drupal variable called 'services_client_connection_token_enabled' which default value is '1'. If you want the services client module to be able to work with Services module <= 3.3 you should set the variable to '0'.
Comment #2
mhrabovcin CreditAttribution: mhrabovcin commentedThanks for patch. I've changed it a little bit to support per connection setting rather than global setting as your site can be connected to two different sites while one is on 3.3 and other 3.5.
Comment #3
boyan.borisov CreditAttribution: boyan.borisov commentedHi mhrabovcin,
I agree with you that it will be nice to have usage of the token as setting.
The problem in your patch is that this setting is available only in case when the Session Authentication is enabled. But what about the client don't use a authentication at all...
I think that the setting should be part of the connection itself. May be a new column in the services_client_connection table? What is your opinion? I am ready to make the patch if you think that it makes sense.
Comment #4
mhrabovcin CreditAttribution: mhrabovcin commentedI think that X-CSFR-Token is limited only to session authentication. When you're using OAuth or Basic auth, token isn't required.
Comment #5
boyan.borisov CreditAttribution: boyan.borisov commentedmhrabovcin,
You are completely right ;)
Comment #6
boyan.borisov CreditAttribution: boyan.borisov commentedActually I tested your patch and it works fine. Waiting to see it in the dev vesrion...
Comment #7
boyan.borisov CreditAttribution: boyan.borisov commentedHi @mhrabovcin,
Is there any stopper to apply the patch on the dev branch?
Comment #8
mhrabovcin CreditAttribution: mhrabovcin commentedSorry it slipped out of my mind.
Committed.
http://drupalcode.org/project/services_client.git/commit/afe26135ef7df7d...
There is also new version 2.x which contains same patch.
Comment #9
mhrabovcin CreditAttribution: mhrabovcin commentedComment #10
ndobromirov CreditAttribution: ndobromirov commentedIt works great!
This is just a typos fix for the CSRF. It was misspelled in some places as CSFR :).
Uploading a patch.
Comment #11
mhrabovcin CreditAttribution: mhrabovcin commentedYour patch is committed to 7.x-1.x. Correct version has been added to 7.x-2.x originally. Thanks!