When developing stateless REST-APIs you do not want to CSRF token validation. Fortunately FOSRest provides the ability to disable it.
The solution does not work if you do not have a ROLE for all API users.
This Bundle disables the CSRF token validation based upon the URL of the request.
So if your API has a global prefix like /api/
you can disable the CSRF token validation for all your API forms.
Installation of this Bundle uses composer. It requires you to have Composer installed globally. For composer documentation, please refer to getcomposer.org.
Open a command console, enter your project directory and execute the following command to download the latest stable version of this bundle:
composer require dkplus/csrf-api-unprotection-bundle
Then, enable the bundle by adding the following line in the app/AppKernel.php
file of your project:
<?php
class AppKernel extends Kernel
{
public function registerBundles()
{
$bundles = array(
// …
new Dkplus\CsrfApiUnprotectionBundle\DkplusCsrfApiUnprotectionBundle,
);
// …
}
// …
}
That's everything you need :-)
The default configuration disables the CSRF token validation for all uris
that begins with /api/
regardless which environment you are using.
dkplus_csrf_api_unprotection:
rules:
match_uri:
- "#^(/app(_[a-zA-Z]*)?.php)?/api/#"