Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Guest voucher uploads via the API #1771

Open
multimeric opened this issue Jan 11, 2024 · 2 comments
Open

Guest voucher uploads via the API #1771

multimeric opened this issue Jan 11, 2024 · 2 comments
Labels
rest api

Comments

@multimeric
Copy link

The API supports guest uploads, via the vid parameter: https://docs.filesender.org/filesender/v2.0/rest/#guest-token. However, the API still checks the security tokens (Csrftoken and X-Filesender-Security-Token) for guest requests, which the user can't obtain using the API. Failing to provide these gives rest_xsrf_token_did_not_match.

Considering this, I wonder how it might be possible to support an API-only workflow for guest uploading?
@monkeyiq
Copy link
Contributor

monkeyiq commented Feb 2, 2024

The API calls are made with AuthRemote being the authentication on the server side. We could either allow these security tokens to be read from the server or disable the checking of them for AuthRemote requests. It probably makes most sense to use Auth::isRemote() to allow both native REST calls and remote applications to avoid the xsrf checks.

@multimeric
Copy link
Author

I would have thought that all API requests that request a token, including a guest token, should not check CSRF. But then I'm no security expert.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
rest api
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@monkeyiq @multimeric