By dawehner on
Change record status: 
Published (View all published change records)
Project: 
Drupal core
Introduced in branch: 
8.2.x
Introduced in version: 
8.2.0
Issue links: 
https://www.drupal.org/node/2403307
Description: 

Available resources and configuration

We have now new RPC web service endpoints which are provided by default. They can be used by REST clients to handle user account login processes.

How to interact with the new endpoints

curl \
  --header "Content-type: application/json" \
  --request POST "http://drupal.d8/user/login?_format=json"

should give "Missing credentials"

curl \
  --header "Content-type: application/json" \
  --request POST "http://drupal.d8/user/login?_format=json" \
  --data '{"name":"admin"}'

should give "Missing credentials.pass."

curl \
  --header "Content-type: application/json" \
  --request POST "http://drupal.d8/user/login?_format=json" \
  --data '{"name":"admin", "pass":"admin"}'

should give "You are logged in as admin".

curl \
  --header "Content-type: application/json" \
  --request GET "http://drupal.d8/user/login_status?_format=json"

to make this work you need to manage the cookie from 'login'.

curl \
  --header "Content-type: application/json" \
  --header "X-CSRF-Token: <csrf_token>"
  --request POST "http://drupal.d8/user/logout?_format=json&token=<logout_token>"

gives "Logged out!"

curl \
  --header "Content-type: application/json" \
  --request POST "http://drupal.d8/user/password?_format=json" \
  -data '{"name": "admin"}'

Should return "200 OK" and trigger a password reset email to be sent to the email address of the provided user account.

curl \
  --header "Content-type: application/json" \
  --request POST "http://drupal.d8/user/password?_format=json" \
  -data '{"mail": "test@example.com"}'

As above but using email address instead of username.

Note: When you enable the serialization module you get more than just JSON.

Impacts: 
Module developers
Updates Done (doc team, etc.)
Online documentation: 
Not done
Theming guide: 
Not done
Module developer documentation: 
Not done
Examples project: 
Not done
Coder Review: 
Not done
Coder Upgrade: 
Not done
Other: 
Other updates done

Comments

ashzade’s picture

ashzade commented

No matter what I do, I get 403 in postman. I've checked all my permissions and have all the REST modules on.

vasike’s picture

vasike
Location Ramnicu Valcea
commented

It doesn't seem to work.
On 8.2.1 i'm getting the html pages as responses.
Both with line commands and postman.

Argonitas’s picture

Argonitas commented

It should be /user/login?_format=json on newer versions, instead of the Accept header. Would be nice, if sb could update the docs.

blainelang’s picture

blainelang commented

For Login: Send the JSON encoded body for the POST as raw to {siteurl}/user/login?_format=json
{"name":"admin", "pass":"password"}

Example response:

{
  "current_user": {
    "uid": "1",
    "roles": [
      "authenticated",
      "administrator"
    ],
    "name": "admin"
  },
  "csrf_token": "8iny52OSS0Gp5bSxzKFx9Q4k6C5u8JVyFHBAvHugUBM",
  "logout_token": "dBqI0_DaAQUHZodxzpkDJcpI5D_hVJPRxXj12UNk5aU"
}

If you try to login again, you will get 403 - access denied. You either need to logout or clear the SESSIONS table.

Logout: Need to include to include the logout token

  • {siteurl}/user/logout?_format=json&token=dBqI0_DaAQUHZodxzpkDJcpI5D_hVJPRxXj12UNk5aU
  • Success is a HTTP Response code of 204. Your SESSIONS record is now deleted and you can login again.

The /user/login_status call will return a 1 for logged on or 0 for logged out.

You can review the User module class that is responsible for more insight - /core/modules/user/src/Controller/UserAuthenticationController.php

Focusing on Business Applications but heck we do anything Drupal

adityaj’s picture

adityaj commented

{siteurl}/user/logout?_format=json&token=dBqI0_DaAQUHZodxzpkDJcpI5D_hVJPRxXj12UNk5aU logout not working any more. i always get error {"message":"The \u0022user\u0022 parameter was not converted for the path \u0022\/user\/{user}\u0022 (route name: \u0022rest.entity.user.GET\u0022)"}

FiNeX’s picture

FiNeX commented

I'm experiencing the same bug :-(

--
by FiNeX
FiNeX.org
Siti Web Vicenza

PQ’s picture

PQ commented

Added info about user/password route and corrected the path of that route in the title.

Sardis’s picture

Sardis commented 
curl \
  --header "Content-type: application/json" \
  --request POST "http://drupal.d8/user/login?_format=json"

Actually gives The website encountered an unexpected error. Please try again later.
Which is in db log noted as:
Symfony\Component\Serializer\Exception\NotEncodableValueException: Syntax error in Symfony\Component\Serializer\Encoder\JsonDecode->decode() (line 78 of /var/www/intarsia_platform/packages/symfony/serializer/Encoder/JsonDecode.php).

So instead we should pass empty json object as the --data option, e.g.

curl \
  --header "Content-type: application/json" \
  --request POST "http://drupal.d8/user/login?_format=json" \
  --data '{}'
abhaypai’s picture

abhaypai commented

Some issue for me, not able to logout; though through postman it works as expected but when it comes to javascript post request it fails and returns 403, with message of 'csrf_token' URL query argument is invalid.

axios.post('durpal-url/user/logout', {}, {
          'headers': {
            'Content-Type': 'application/json',
            'X-CSRF-Token' : getTokenCSRF,
          },
          'params': {
            '_format': 'json',
            'token': getTokenLogout,
          },
          'withCredentials': true,
})

not sure what should be the request, documentation only shows bit information.
https://www.drupal.org/docs/8/core/modules/rest/javascript-and-drupal-8-...

Any help would be appreciated.

Thanks.

abhaypai’s picture

abhaypai commented

I have updated document here https://www.drupal.org/docs/8/core/modules/rest/javascript-and-drupal-8-...
If request is cross domain it should have withCrdentials: true for atleast login and logout.

JAINV18’s picture

JAINV18 commented

Can anyone help me from calling backend(Drupal) from frontend(react) with cookies enabled. Currently the GET request is considered as Anonymous request in the logs in Drupal and it redirects to access denied page. Please help

JAINV18’s picture

JAINV18 commented

Posting this solution for anyone facing this issue - please use withCredentials: true in headers to save the Cookies.

JAINV18’s picture

JAINV18 commented

Hi,

I am trying logout with all the possible solutions given here - still unable to logout. Getting a 403 error message and {"message":"\u0027csrf_token\u0027 URL query argument is invalid."} error message.

JAINV18’s picture

JAINV18 commented

Hi,

I resolved it by using below code, posting this for someone who might face this issue.

I am using this piece of code in React which works -

logout = async (tokenContext) => {

const options = {
headers: {
'X-CSRF-Token': ,
'Content-Type': 'application/x-www-form-urlencoded',
}, withCredentials: true
}
try {
return await axios.post(`${}/user/logout?_format=json&token=${}`, null, options);
} catch (e) {
return e;
}
}

Few things to point out -
1. It is working with query parameters, not with data or request payload
2. It is a POST request, tried using GET and query parameters but doesnt work
3. Changed Content-Type to 'application/x-www-form-urlencoded', works fine.
4. If at all it doesnt work, please do check the Cookie header in the Request Headers, it is a must to make this call succesful.
5. Response is empty with status code 204, the cookie of Drupal is deleted or discarded.