sagos95
commented
4 months ago Turned out that the server doesn't require some token itself, instead it requires just X-Requested-With: XMLHttpRequest header header for consequent requests and that's it.
Though I found a solution, a true CSRF protection mechanism works different and involves generating a unique, random token for each session (or request). This token is then included in forms or API requests and validated on the server side. The method I saw in the application source code is much simpler and less secure, so I can't say that this is "CSRF token check fail" literally. I'd rather call this a bug.
PS: The source code checks if the X-Requested-With header is set to XMLHttpRequest value. If this header is present, the request is considered valid
Steps to reproduce the behavior
docker run -it -p 80:8000 mattermost/focalboardhttp://localhost:80/api/v2/loginwithX-Requested-With: XMLHttpRequestheader and obtain so calledtoken. No any additional info was returned (no additilnal headers, etc)http://localhost:80/api/v2/teamsExpected behavior
loginmethod so I could use it with consequent requests orEdition and Platform
Additional context (optional)
I also tried suggestions from previous issue 4420, but when I'm using API version any instead of v2, I'm getting some HTTP 200 response with HTML content which I could say tries to say that there is an error: