Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Sails JS forbidden POST request

I'm trying to learn Sails JS and obviously REST API.

I've created a user model wich I think works fine (it communicates datas with my db). I've also created a signup controller with 4 needed inputs to store a new record in my user collection. (Some other datas are generated by this controller to complete the record at the moment of the registration)

I would like to test this controller with POSTMAN, so I go to my routes.js and see :

'POST  /api/v1/entrance/signup': { action: 'entrance/signup' },

But when i enter a POST request at 192.168.1.13:1338/api/v1/entrance/signup with my 4 needed inputs declared I have this answer : Forbidden

I don't know what I do wrong. I've also enabled rest, shortcuts and actions in my blueprints.js

Does someone has an idea ? :)

like image 234
qvdp Avatar asked Mar 09 '18 20:03

qvdp


2 Answers

The issue is indeed related to cross-site request forgery, but disabling the corresponding security rule altogether is quite obviously not a solution. CSRF and its treatment in sailsjs are well described in the corresponding part of the manual. In short, for POSTs to work you have to include _csrf in your requests. E.g. in a view template:

<form>
   <input type="hidden" name="_csrf" value="<%- _csrf %>" />
</form>
like image 104
alephreish Avatar answered Oct 09 '22 02:10

alephreish


As said below, removing CSRF protection is not an answer as it may expose the api to a security breach. I currently use JWT but it doesn't seems to be as secure as CSRF token so the only right way is to include the token in every HTTP's request header.

like image 41
qvdp Avatar answered Oct 09 '22 03:10

qvdp