Drupal 7 Services 3 Session Authentication with CSRF Token

I really had a bad hour figuring out how Drupal ‎Services‎ (Version 3.x) session authentication works. The documentation is poor and there are several issues stating out problems.

Finally I was able to find a way out of the Service REST jungle and I'd like to share the results with you (and myself for the future) if we should ever run into the same problems again.

The following steps are required:

Module configuration

Enable ‎Services
Select REST server on admin/structure/services/list/app_api
Set the endpoint path (here "services/ep/rest") on admin/structure/services/list/app_api
Activate Session authentication on admin/structure/services/list/app_api

1. Request CSRF Token

  • Make a POST (!!!) call to https://www.example.com/services/session/token (This path is always the same (!!) however you define the endpoint path!
  • Save the response body into a variable. That's the CSRF token. For example "PO6WaREZaDfKVEpZ2X3a90Nyyt6xUdQ06JaBJiYxgI6"

2. Request login

  • Make a POST (!!!) call to https://www.example.com/services/ep/rest/user-service/login.json (where services/ep/rest is your configured endpoint path and user-service is your custom user service path (default would be just "user"))
  • Set the following headers for that POST:
    • Key: "X-CSRF-Token", Value: "YOURTOKENVALUEFROMABOVE"
    • Key: "Content-Type", Value: "application/json" (you may use a different type but ensure an appropriate is set, otherwise it will NOT work!)
  • Set your login credentials as body: We're using JSON here, you may also use a different format: {"username":"exampleuser",
    "password":"examplepassword"}

That's it! If your credentials are correct you will now receive a JSON result for the user properties.

I used the "restclient" Firefox plugin for my tests: https://addons.mozilla.org/de/firefox/addon/restclient/

AnhangGröße
token-request.jpg124.9 KB
login-request.jpg166.44 KB

Kommentare

Kommentar hinzufügen

Der Inhalt dieses Feldes wird nicht öffentlich zugänglich angezeigt. Wenn Sie ein zulässiges Avatar mit Ihrer E-Mail-Adresse verknüpft haben, wird dieses als Avatar verwendet.

Weitere Informationen über Formatierungsoptionen

Aktualisieren Geben Sie die Zeichen ein, die Sie im Bild sehen. Geben Sie die im Bild dargestellten Zeichen ein; wenn Sie diese nicht lesen können, senden Sie das Formular ohne Eingabe ab, um ein neues Bild zu generieren. Groß-/Kleinschreibung wird nicht beachtet.  Switch to audio verification.