Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

API with access token returns 500 error from CheckCsrfToken #1828

clarkwinkelmann opened this issue Jul 28, 2019 · 0 comments


Copy link

commented Jul 28, 2019

Bug Report

Current Behavior
Performing an API request without CSRF and with header Authorization: Token <token> where token is a user access token results in the response Call to a member function token() on null in /flarum-beta9/vendor/flarum/core/src/Http/Middleware/CheckCsrfToken.php:41 for all API endpoints

Steps to Reproduce

  1. Create an access token via /api/token or by taking an existing one in the access_tokens table
  2. Perform an API request via the command line or in the browser console by removing the cookie and CSRF token and adding the Authorization header
  3. Request returns 500 error as described above

Expected Behavior
It should be possible to use the API with just an access token.


  • Flarum version: beta 9

Possible Solution

It appears that when using an access token (not an api key), bypassCsrfToken isn't set. But the session isn't set either

$request = $request->withoutAttribute('session');

Then the CheckCsrfToken middleware tries to access the session property in

$expected = (string) $request->getAttribute('session')->token();

We should probably set bypassCsrfToken as well when using an access token

Additional Context
There is no issue with Api Keys.

@franzliedke franzliedke added this to the 0.1.0-beta.10 milestone Aug 1, 2019

@franzliedke franzliedke self-assigned this Aug 1, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
2 participants
You can’t perform that action at this time.