Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Setting the `api.csrf` option prevents the user from logging in #1944
Describe the bug
This works as expected if I specify the option in
'api' => [ 'csrf' => '' ]
But it works weirdly if I specify it like this:
'api.csrf' => ''
By "weirdly" I mean that I can still request the API with no CSRF, but the tab where I've logged in the panel starts refreshing endlessly, redirecting me from
return [ 'api.csrf' => '' ];
And do as I've said above.
Edit: I think this happens due to this line of code. It expects
Edit 2: Yep, I can confirm. Changing the following in Panel.php from:
'csrf' => $kirby->option('api')['csrf'] ?? csrf(),
'csrf' => $kirby->option('api.csrf') ?? csrf(),
Solves the problem.
@lukasbestle I think it's needed. Otherwise how would you make requests to the API from plugins' front-end? Actually, the panel itself uses the API too, so it also needs to provide the token?
Edit: I'm talking about the presence of the CSRF token in