CSRF for API calls

[artursmolarek]

I am trying to use API provided by Rancher UI.
When I call "GET /v1/containers", API returns list of my containers.

But when I replace GET by POST/PUT I got:

{
  "id": "cec3bfe8-da78-49c3-b2a4-a31983134130",
  "type": "error",
  "links": {},
  "actions": {},
  "status": 403,
  "code": "InvalidCSRFToken",
  "message": "CSRF header and cookie do not match",
  "detail": null
}

I am using basic auth with generated credentials.
I have tried to call other URLs, but with the same result.
How can I disable CSRF? Or what should I change in my request?

[cjellick]

@artursmolarek are you accessing the API programmatically through something like curl or are you using the browser?

Could you possible post the entirety of your POST/PUT request, including the headers that you're sending along?

[artursmolarek]

You are right. That was problem with my Chrome extension (postman). Looks that it shares session with UI. Using curl is better, but I have another problem.
Method POST /v1/projects/1a5/instance is not allowed.

HTTP/1.1 405 Method Not Allowed
Content-Length: 170
Content-Type: application/json; charset=utf-8
Server: Jetty(8.1.11.v20130520)
X-Api-Account-Id: 1a5
X-Api-Client-Ip: XXX
X-Api-Schemas: http://XXX:8080/v1/projects/1a5/schemas
Date: Thu, 30 Jul 2015 07:24:09 GMT

{"id":"4d8ce19a-ac8d-45a6-b870-XXX","type":"error","links":{},"actions":{},"status":405,"code":"Method not allowed","message":"Method not allowed","detail":null}

Is this URL ok? I could`t find official documentation anywhere.

Edit:
Have already found your embeded tool to prepare and test API requests.
Now everything looks ok. It should be definitely better described :-)
Ticker can be closed.

[liliyongleo]

hello, I got the same problem with "CSRF header and cookie do not match".

Get Method is working fine. but not for POST.

Here is my HTTP POST request output:
Request URL: http://192.168.1.56:2403/v1/projects/1a5/services/1s370/?action=activate
Request Method: POST
Status Code: HTTP/1.1 403 Forbidden

Request Headers:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Firefox/38.0
Referer: http://192.168.1.56:2403/
Pragma: no-cache
Host: 192.168.1.56:2403
Content-Length: 0
Connection: keep-alive
Cache-Control: no-cache
Authorization: Basic NEZGRDM0OEMzOTc4QjVGOTBGRjM6dzdiQzlYelQ5QWpKV2laemszNnUyY0x6azJnWGRjaHpRVXBiSjhRZA==
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Accept: application/json

Sent Cookie:
PL: rancher
NSID: 26a01c21314009ba5b5748ce0c52a923
CSRF: 6394D5918EFA13F55198BDDB6D06401B

[raghu588]

@artursmolarek i'm also facing the same issue.Can you please provide the solution if you resolved this issue.

[vincent99]

You're hitting the CSRF check because you're sending a User-Agent that looks like a browser (contains Mozilla). Remove or change the User-Agent and the check will not be applied, as it is not relevant to direct API calls.

(Or if you really want, you can send the value of the CSRF cookie as an X-Api-Csrf header)

[raghu588]

@vincent99 i want to get some service apis(which are jsons) to my Application.I am sending the request from postman for now..sending CATTLE_ACCESS_KEY,CATTLE_SECRET_KEY,X-Api-Csrf in headers. But i'm getting this error var data = {"id":"b94a31d0-6f26-4626-a1a6-b06f87b46880","type":"error","links":{},"actions":{},"status":401,"code":"Unauthorized","message":"Unauthorized","detail":null,"baseType":"error"}; Please suggest

[vincent99]

Access key and secret key aren't headers. The API does http basic auth.

[raghu588]

@vincent99 can you provide me any references how to access rancher service apis(jsons) from external application(like scala..)

[raghu588]

@vincent99 If i enable interceptor in postman i'm able to get the json,but when i tried with scala rest client application endedup with "Unauthorized" error. We used github authentication for Rancher. From scala application how to do authentication?

[brianharwell]

Invoke-RestMethod -UserAgent "Nona Business" works like a champ