CURL call response : The CSRF token is invalid.

[svnindia]

Hi,

I am new to symfony. I have installed the symfony blog code and its working fine on web browser (forms& api doc).

But If I tried on curl call I am getting error

curl -X POST -d '{"title":"title","body":"body"}' http://localhost:8000/api/v1/pages.json --header "Content-Type:application/json"

-header "Content-Type:application/json"
{"code":400,"message":"Validation Failed","errors":{"errors":["The CSRF token is invalid. Please try to resubmit the form."],"children":{"title":[],"body":[]}}}

{"code":400,"message":"Validation Failed","errors":{"errors":["The CSRF token is invalid. Please try to resubmit the form.","This form should not contain extra fields."],"children":{"title":{"errors":["This value should not be blank.","This value should not be null."]},"body":[]}}}

Help me to understand and solve the issue....

Thanks,
SVN

[liuggio]

Hi the problem is about here: https://github.com/liuggio/symfony2-rest-api-the-best-2013-way/blob/master/app/config/security.yml#L26

in order to use the api you should use user and password, if you are not auth. you need the CSRF token, example html page, is a new feature described here symfony CSRF and REST

[svnindia]

How to authenticate as ROLE_API using curl call ?

[liuggio]

Hi liuggio
thanks a lot for the fast answer,
please I need more info, I'm on stuck,
could you help me on about finding the way of auth. via curl,
I loved the blog and this repo, thanks a lot for your effort.

[liuggio]

Hi @svnindia
thanks a lot for commenting,
please try using curl --user name:password
more info here: https://www.google.it/search?q=How+to+use+curl+for+basic+auth

please let me know if it works, and please could you provide a Pull request to the blog if you think this has to be modified?

thanks

[svnindia]

Hi liuggio,

First I need to Thank You, for writing a blog for how to use the FOS bundles....
Past 15 days I was Re/searching on symfony and found one ready to use code for self learning...

If some step by step use case examples given it will be really helpful. You have already given some examples but as a New Bie to symfony I could not proceed further. :(

After modifying the below code, I am able to post data.
disable_csrf_role: IS_AUTHENTICATED_ANONYMOUSLY

Need to look for a solution for auth, the above suggested not worked for me....

Thanks

[liuggio]

Thanks
just to be sure this doesn't work?
curl -X POST -d '{"title":"title","body":"body"}' http://localhost:8000/api/v1/pages.json --header "Content-Type:application/json" --user YOURUSERNAME:YOURPASSWORD

and YOURUSERNAME:YOURPASSWORD should be username and password of the security.yml

[svnindia]

Thanks liuggio.
The above auth works with the in_memory admin/adminpass example works...
I am facing issues wih fos_user & fos_rest bundle example(your code), I am analyzing on that....

[liuggio]

if you found a solution please maybe could help others.

[svnindia]

sure will share the code here.

[n1c01a5]

@svnindia same problem...

Any solution?

[liuggio]

sorry I don't get the problem,
as I said 8 days ago using --user it works to me,

curl -X POST -d '{"title":"title","body":"body"}' http://localhost:8000/api/v1/pages.json --header "Content-Type:application/json" --user user:userpass

because it uses the
http://welcometothebundle.com/symfony2-rest-api-the-best-way-part-3/#disable_csrf_with_rest

# app/config/config.yml
fos_rest:
    disable_csrf_role: ROLE_API

please could you confirm that works also to you thanks

[n1c01a5]

For the moment I do in my form:

# src/Acme/BlogBundle/Form/PageType.php
/**
 * @param OptionsResolverInterface $resolver
 */
 public function setDefaultOptions(OptionsResolverInterface $resolver)
 {
     $resolver->setDefaults(array(
           'data_class' => 'Acme\BlogBundle\Entity\Page',
           'csrf_protection' => false
      ));
  }

But it's not a good way...

[n1c01a5]

@liuggio the command curl -X POST -d '{"title":"title","body":"body"}' http://localhost:8000/api/v1/pages.json --header "Content-Type:application/json" --user user:userpass works for me.

Thanks.

But I would open an issue to use FOSUserBundle with this api.

[svnindia]

I have tried with FOSOAuth and its working fine....
in the config.yml file modified below one
disable_csrf_role: IS_AUTHENTICATED_FULLY

[svnindia]

In Major websites for WebServices REST with OAuth used.(Facebook/twitter)
Username/Password authentication is old method

[liuggio]

1. Disabling csrf also in web form is a bad practice

2. Why do you want to open an issue?

   @svnindia oauth is another good system but this is just an example

[n1c01a5]

I try use FOSOAuthServerBundle with FOSUserBundle:

My security.yml:

security:
    encoders:
        FOS\UserBundle\Model\UserInterface: sha512

    role_hierarchy:
        ROLE_ADMIN:       ROLE_USER
        ROLE_SUPER_ADMIN: ROLE_ADMIN

    providers:
        fos_userbundle:
            id: fos_user.user_provider.username

    firewalls:
        api:
            pattern: ^/api
            fos_oauth: true
            stateless: true
        oauth_authorize:
            pattern: ^/oauth/v2/auth 
            form_login:
                provider: fos_userbundle
                check_path: /oauth/v2/auth_login_check
                login_path: /oauth/v2/auth_login
            anonymous: true
        oauth_token:
            pattern: ^/oauth/v2/token
            security: false      

    access_control:
        - { path: ^/oauth/v2/auth_login$, role: IS_AUTHENTICATED_ANONYMOUSLY }

My config.yml

...
sensio_framework_extra:
    view: { annotations: false }
    router: { annotations: true }
    request: { converters: true }

# FOSRestBundle configuration
fos_rest:
    param_fetcher_listener: true
    view:
        view_response_listener: 'force'
        formats:
            xml:  true
            json: true
        templating_formats:
            html: true
    format_listener:
        rules:
            - { path: ^/, priorities: [ html, json, xml ], fallback_format: ~, prefer_extension: true }
    exception:
        codes:
            'Symfony\Component\Routing\Exception\ResourceNotFoundException': 404
            'Doctrine\ORM\OptimisticLockException': HTTP_CONFLICT
        messages:
            'Symfony\Component\Routing\Exception\ResourceNotFoundException': true
    allowed_methods_listener: true
    access_denied_listener:
        json: true
    body_listener: true
    disable_csrf_role: ROLE_API

# Nelmio configuration
nelmio_api_doc:
    name: Page API

# FOSUserBundle configuration
fos_user:
    db_driver: orm
    firewall_name: main
    user_class: Application\UserBundle\Entity\User

# FOSAuth configuration
fos_oauth_server:
    db_driver:           orm
    client_class:        Acme\ApiBundle\Entity\Client
    access_token_class:  Acme\ApiBundle\Entity\AccessToken
    refresh_token_class: Acme\ApiBundle\Entity\RefreshToken
    auth_code_class:     Acme\ApiBundle\Entity\AuthCode
    service:
        user_provider: fos_user.user_manager

In my browser I have this error in http://localhost/symfony2-rest-api-the-best-2013-way/web/app_dev.php/api/v1/pages: {"error":"access_denied","error_description":"OAuth2 authentication required"}
After bin/phpunit -c app

There were 8 failures:

1) Acme\BlogBundle\Tests\Controller\PageControllerTest::testJsonGetPageAction...
...

I think I must create a client to oauth... see https://gist.github.com/ornj/5061326.

Any idea? ...I think I will use WSSE authentication, it's more adapted for my project.