Deleting Assest/Logs/etc via API 1.x

Hi, I am attempting to use an API call to delete logs, assets, etc and encountering 403 Forbidden responses to the request. I am using the current 1.x dev docker image for farmOS. The issue is a bit strange in that the 403 comes when making the request from a page rendered in farmOS.

The JavaScript is:

           axios
                .delete('http://localhost/log/3')
                .then(response => alert(response.data))
                .catch(error => console.log(error))

However, if I run a python script on the same machine the delete is successufl. The python code is:

> response = requests.delete("http://localhost/log/8", auth=HTTPBasicAuth(user, passwd))
> print(response)

In both cases, the session is authenticated with the same user who is the admin and has the “Farm Manager” role. In the farmOS page, authentication is via login. With python, it is via the basic authentication module.

Also, worth note is that when I issue the same request using Hoppscotch (like Postman) using basic authentication or in the same browser session (so relying on the login authentication) I still see the 403 but it also says “CSRF validation failed.”

I recognize that most development effort is now on 2.x, but if feels like I may just be missing something small, so any suggestions or pointers in the right direction would be appreciated. Thanks.

2 Likes

Hmm bear with me as my 1.x API memory is getting fuzzier… :slight_smile:

I think the issues is you need to include the X-CSRF-Token header when you’re making requests in the browser console. This is only required for cookie-based authentication, if I remember correctly, and is not required when you’re using basic authentication.

From the restws module’s README.txt:

  • Delete: HTTP DELETE //

Note: if you use cookie-based authentication then you also need to set the
HTTP X-CSRF-Token header on all writing requests (POST, PUT and DELETE).
You can retrieve the token from /restws/session/token with a standard HTTP
GET request.

2 Likes

Seems your memory is spot on! Worked like a charm. Thanks Mike.

In case it is useful for someone in the future here is a snippet of working demo code from the page rendered in farmOS:

axios
    .get('/restws/session/token')
    .then(response => {
        let token = response.data
        axios
            .delete('http://localhost/log/3',{
                headers: {
                    'X-Requested-With': 'XMLHttpRequest',
                    'X-CSRF-TOKEN' : token,
                }
            })
            .then(response => console.log(response))
            .catch(error => console.log(error))
    })
3 Likes