about cookie and x-csrf-token

Cathas9lives

How to get a long-lasting cookie and x-csrf-token?

clarkwinkelmann

You can obtain an API token via POST /api/token and you can give it a very long lifetime. But as discussed here flarum/core1925 we will probably remove the use of CSRF when not using cookies, as it doesn't make sense and just makes thing more complicated.

If you are the owner of the target forum, the best is to create an API Key. API Keys can already be used without CSRF token.

Cathas9lives

clarkwinkelmann how could I use the api key in python ?

clarkwinkelmann

Cathas9lives you need to insert a random token (ideally 40 characters long) in the api_keys table of the database (you can leave all other columns blank), then you can use the Authorization header like this:

Authorization: Token <token>; userId=1

Replace <token> with the random token, and 1 with the user ID of the user you want to authenticate as.

Cathas9lives

clarkwinkelmann I use this but still get the csrf_token mismatch error.

luceos

Cathas9lives can you provide your code that does the authorized request?

Cathas9lives

luceos

Cathas9lives

luceos Could you help me?

clarkwinkelmann

Cathas9lives do you have the word Token in front of your token in the Authorization header ? You blurred it out in the screenshot.

Cathas9lives

clarkwinkelmann yes,I do 'Authorization':'Token=1H4C**********WWk2gHJ1IPUnynI1yN9aB2ywOs,userId=1'

clarkwinkelmann

Cathas9lives It's Token thetoken;userId=1 (space in between).