API call with CSRF check failed

[scubajeff]

Hi,

Is this API: "/personal/websites" supposed to be called by 3rd party app to manage user's sites? How to avoid getting CSRF check failed result when calling this?

[PhrozenByte]

Pico CMS for Nextcloud provides no public API. However, you can surely write your own stuff, but don't expect the API to be stable, it might change at any point. You'll have to acquire a CSRF token the same way as with any other Nextcloud App, nothing special here.

[scubajeff]

I'm working on this photo album app Les Pas for Nextcloud. It already have the ability to share albums within nextcloud users. With the help of Pico, I believe it's possible to implement a public facing photo blog feature. To make it easy for the end user to generate/maintain a blog site/page, really need a API to manage sites in Pico.

[PhrozenByte]

We're very happy to accept pull requests if you're willing to take responsibility for it in future versions :+1:

[scubajeff]

The current '/personal/websites' route is quite enough for what I'm planning to do. Just need to figure out the way of acquiring CSRF token since I'm not calling this API from browser or php, but from Android using OKHttp library. Nextcloud OCS API do have a header option of "OCS-APIRequest: true" to facilitate this.

[scubajeff]

I think at least for the 'name' => 'Websites#getPersonalWebsites', 'url' => '/personal/websites', 'verb' => 'GET' endpoint, it's a GET method call, we should put @NoCSRFRequired annotation in it's controller.

[PhrozenByte]

Whether CSRF protection is required or not doesn't depend on the HTTP method used, but on whether state is changed or not. Even though it is true that the Websites#getPersonalWebsites route currently doesn't change state and thus doesn't require CSRF protection, it still yields the burden that this will never change in the future. Again, this is no public API and is not intended to be exploited as public API. Nextcloud provides an OCS API for a reason. If you need a public API, I'm very happy to accept any pull request implementing a public API if you're willing to take responsibility for it in future versions :+1:

[scubajeff]

I'm not familiar with PHP at all, maintaining an API is out of my reach. Anyway, I've figured out how to call these APIs in my app, even though they don't mean to be official, I think it's enough to keep it this way. Thanks.