WoodWing Help Center

Elvis 6 REST API - Performing a POST request with a csrf token

Elvis 6 REST API - Performing a POST request with a csrf token

Because of improved security measures in the REST API of Elvis 6, all data changing APIs only accept POST requests, not GET requests. Also, the POST request needs to include a cross-site request forgery (csrf) token.

Note: For a list of APIs that are affected by this, see the end of this article.

How it works

The csrf token is a unique code which, by including it in the request, also makes the POST request unique and therefore much more secure.

The csrf token is obtained by first logging in to Elvis Server through a POST request. The response that is received will include the csrf token which can then be used in subsequent POST requests as a http header:

"X-CSRF-TOKEN: <some_csrf_token>"

Examples

The process is best explained with some examples.

Example 1 - searching for and copying an asset

This example shows how to log in, search for an asset and copy it.

The Log-in request

POST /services/login HTTP/1.1
Content-Type: application/x-www-form-urlencoded
 
username=user&password=secret

The Log-in response

HTTP/1.1 200 OK
Set-Cookie: authToken=verylongtoken;Path=/;HttpOnly
Content-Type: application/json;charset=utf-8
 
{"loginSuccess":true,"serverVersion":"6.0.1.8","csrfToken":"AAAAAAAAAAAAAAAAAAAAAA"}

The Search request

GET /services/search?q=id:nonexisting HTTP/1.1
Cookie: authToken=verylongtoken

The Search response

HTTP/1.1 200 OK
Content-Type: application/json;charset=utf-8
 
{"firstResult":0,"maxResultHits":50,"totalHits":0,"hits":[],"facets":{}}

The Copy request

POST /services/copy HTTP/1.1
Content-Type: application/x-www-form-urlencoded
X-CSRF-TOKEN: AAAAAAAAAAAAAAAAAAAAAA
 
source=/Users/user/upload/test.jpg&target=/Users/user/upload/test-copy.jpg

The Copy response

HTTP/1.1 200 OK
Content-Type: application/json;charset=utf-8
 
{"processedCount":1,"errorCount":0}

A Copy request with an invalid csrf token

POST /services/copy HTTP/1.1
Content-Type: application/x-www-form-urlencoded
X-CSRF-TOKEN: BBBBBBBBBBBBBBBBBBBBBB
 
source=/Users/user/upload/test.jpg&target=/Users/user/upload/test-copy.jpg

A Copy response with an invalid csrf token

HTTP/1.1 200 OK
Content-Type: application/json;charset=utf-8
 
{"errorname":"FORBIDDEN","message":"Csrf token check failed","errorcode":403}

Example 2 - installing the Elvis 6 demo files

Another example in which a POST request is used that includes a csrf token is when installing the Elvis 6 demo files. For more information, see Installing demo files for Elvis 6.

APIs that only accept POST requests

The following table shows Elvis 6 APIs that only accept POST requests.

API Path
checkout /services/checkout/<assetId>
copy /services/copy
create /services/create
createAuthKey /services/createAuthKey
create folder /services/createFolder
create relation /services/createRelation
login /services/login
logout /services/logout
log usage stats /services/logUsage
move / rename /services/move
profile /services/profile
remove /services/remove
remove relation /services/removeRelation
revokeAuthKeys /services/revokeAuthKeys
undo checkout /services/undocheckout/<assetId>
update /services/update
updateAuthKey /services/updateAuthKey
updatebulk /services/updatebulk

Also affected is the way to install the Elvis 6 demo files. For more information, see Installing demo files for Elvis 6.

Was this article helpful?
0 out of 0 found this helpful / Created: / Updated:
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.