Admin page to generate api key

lubobill1990

I'm using flarum as a backend for my mobile app.
After I upgrade to beta.10, I find the beta.10 require csrf token from requests to api.
Because mobile app doesn't support session, so I need to use api key to access api.
However, I find there's no admin page to generate such api key.

I also find api key feature has been added to flarum since several years ago, so is there an extension to generate and manage api keys? If there's not, is there a plan to add such a page in the admin page?

In addition, I find it's not friendly to add and customize an admin page....

clarkwinkelmann

lubobill1990 Api Keys give complete access to the Flarum instance and can only be inserted directly via the database for now. You shouldn't embed an API Key in client/distributed code as anyone with that key can perform any action as any user.

Maybe what you're looking for are User Tokens ? Those are linked to a specific user and can be created via the API (POST /tokens with username and password payload I think). Your app can request a token with the user credentials and then save it for use with API requests.

lubobill1990

clarkwinkelmann Wow, so dangerous! Thanks for your warning!

However, now, the beta.10 require csrf token for all of my post requests. How can I do POST requests if I just want to call the api before I login without having a session?

clarkwinkelmann

I think we still have a problem with the token endpoint. I remember discussing it but it never made it into an issue.

We should probably allow posting to the /api/token endpoint without CSRF, in order to allow apps to create tokens for users without using the /login endpoint.

I now have created the issue for that flarum/core1905

The only way to do it right now would be to have a script you control to proxy the requests for the token. Send the credentials to that script, have that script check generate the user token via an Api Key, then return the user token. Then the app can use that token to skip CSRF.

The discussion about this was here https://discuss.flarum.org/d/20867-csrf-token-mismatch-on-beta-9-upgrade/8

An alternative would be to fetch the CSRF token for that request (fetch it from a page, then pass it with the first POST request along with the cookies). This should be doable from an application, but that's not super pretty.

Hopefully we can get this fixed in a next beta so it's not as complicated.

lubobill1990

clarkwinkelmann Thank you Clark, it's very helpful to create this issue.

Currently, I would like to set bypassCsrfToken to solve this problem.

Spooonky

@clarkwinkelmann
Does the problem still exist or can user create there own API tokens to visit their own data only?

clarkwinkelmann

Spooonky since a few betas the POST /token route is no longer protected by CSRF.

There's also now an extender to easily add additional routes to the exceptions https://github.com/flarum/core/blob/v0.1.0-beta.16/src/Extend/Csrf.php

It's planned to add a UI so users can create personal tokens. The backend changes for that have been introduced in beta 16 (see session tokens changes in release notes).