Because of improved security measures in the REST API of Assets Server, all data changing APIs only accept POST requests, not GET requests. Also, the POST request needs to include a cross-site request forgery (csrf) token.
Note: For a list of APIs that are affected by this, see the end of this article.
How it works
The csrf token is a unique code which, by including it in the request, also makes the POST request unique and therefore much more secure.
The csrf token is obtained by first logging in to Assets Server through a POST request. The response that is received will include the csrf token which can then be used in subsequent POST requests as a http header:
"X-CSRF-TOKEN: <some_csrf_token>"
Examples
The process is best explained with some examples.
Example 1 - searching for and copying an asset
This example shows how to log in, search for an asset and copy it.
The Log-in request
POST /services/login HTTP/1.1
Content-Type: application/x-www-form-urlencoded
username=user&password=secret
The Log-in response
HTTP/1.1 200 OK
Set-Cookie: authToken=verylongtoken;Path=/;HttpOnly
Content-Type: application/json;charset=utf-8
{"loginSuccess":true,"serverVersion":"6.0.1.8","csrfToken":"AAAAAAAAAAAAAAAAAAAAAA"}
The Search request
GET /services/search?q=id:nonexisting HTTP/1.1
Cookie: authToken=verylongtoken
The Search response
HTTP/1.1 200 OK
Content-Type: application/json;charset=utf-8
{"firstResult":0,"maxResultHits":50,"totalHits":0,"hits":[],"facets":{}}
The Copy request
POST /services/copy HTTP/1.1
Content-Type: application/x-www-form-urlencoded
X-CSRF-TOKEN: AAAAAAAAAAAAAAAAAAAAAA
source=/Users/user/upload/test.jpg&target=/Users/user/upload/test-copy.jpg
The Copy response
HTTP/1.1 200 OK
Content-Type: application/json;charset=utf-8
{"processedCount":1,"errorCount":0}
A Copy request with an invalid csrf token
POST /services/copy HTTP/1.1
Content-Type: application/x-www-form-urlencoded
X-CSRF-TOKEN: BBBBBBBBBBBBBBBBBBBBBB
source=/Users/user/upload/test.jpg&target=/Users/user/upload/test-copy.jpg
A Copy response with an invalid csrf token
HTTP/1.1 200 OK
Content-Type: application/json;charset=utf-8
{"errorname":"FORBIDDEN","message":"Csrf token check failed","errorcode":403}
Example 2 - installing the Assets Server demo files
Another example in which a POST request is used that includes a csrf token is when installing the Assets Server demo files. For more information, see Installing demo files for Assets Server.
APIs that only accept POST requests
The following table shows Assets Server APIs that only accept POST requests.
API | Path |
---|---|
checkout | /services/checkout/<assetId> |
copy | /services/copy |
create | /services/create |
createAuthKey | /services/createAuthKey |
create folder | /services/createFolder |
create relation | /services/createRelation |
login | /services/login |
logout | /services/logout |
log usage stats | /services/logUsage |
move / rename | /services/move |
profile | /services/profile |
remove | /services/remove |
remove relation | /services/removeRelation |
revokeAuthKeys | /services/revokeAuthKeys |
undo checkout | /services/undocheckout/<assetId> |
update | /services/update |
updateAuthKey | /services/updateAuthKey |
updatebulk | /services/updatebulk |
Also affected is the way to install the Assets Server demo files. For more information, see Installing demo files for Assets Server.
Comment
Do you have corrections or additional information about this article? Leave a comment! Do you have a question about what is described in this article? Please contact Support.
0 comments
Please sign in to leave a comment.