Routes that are not views

matteocontrini

Hello.

I've enabled a WAF service on my forum, and I need to exclude the API endpoints from the JavaScript challenge feature (this is similar to the "under attack" mode by CloudFlare).

I "whitelisted" the /api endpoint, and also /login and /register, which are used for XHR requests as well (why aren't they under /api, anyway?).

I wanted to ask if there are other endpoints that you know of that return JSON but are not under the /api endpoint.

I looked a bit at the source code but it's not immediately clear.

Thank you! 😃

clarkwinkelmann

matteocontrini there are also POST endpoints for password reset and logout, but I don't think they return JSON.

matteocontrini

clarkwinkelmann thanks for the reply.

Those two are posted with "normal" HTML forms, right?

clarkwinkelmann

matteocontrini Those two are posted with "normal" HTML forms, right?

Yes I believe so.

Those should be easy to test once you enable your WAF.

matteocontrini

clarkwinkelmann ok, I tried, and logout is actually a GET request (not XHR).

With "password reset" I understand the /api/forgot endpoint, which is indeed under /api, so already covered.

clarkwinkelmann

matteocontrini there's a POST /reset route when you come to confirm the new password.

You can see all core frontend routes here https://github.com/flarum/core/blob/master/src/Forum/routes.php