After 2 years, I decide to migrate cakephp core of my website to the latest version.
After the migration, I have to fixed many errors and warnings to make my website work normally.
Last trouble is REST API. It works fine with cakephp 3.2 but not with 3.6.
Here is my routes.php configuration for REST:
Router::prefix(‘api’, function ($routes) {
$routes->setExtensions([‘json’]);
$routes->resources(‘Readings’, [
‘map’ => [
‘check_updates’ => [
‘action’ => ‘getUpdateInfo’,
‘method’ => ‘POST’
]
]
]);
});
My REST controllers are in /src/Controller/Api
There is another AppController in this folder, for REST only.
When I use Postman to send request, Invalid CSRF exception occurs, and then it goes to the AppController of the web, not the AppController in the Api folder.
How can I fix this?
I’m not familiar to the Middleware of new version.
OK.
As I guess, the issue’s caused by the Middleware.
In Application, CsrfProtectionMiddleware has been added by default.
I have to write a function (Application/middleware) to check the prefix, if it is api then do the normal request, if not, use the CsrfProtectionMiddleware like this:
// Use CSRF protection for web only, not API request
->add(function (
ServerRequest $request,
Response $response,
callable $next
) {
$params = $request->getAttribute('params');
if (isset($params['prefix']) && 'api' == $params['prefix']) {
return $next($request, $response);
}
$csrf = new CsrfProtectionMiddleware([
'httpOnly' => true
]);
return $csrf($request, $response, $next);
});
You should use Cake\Http\ServerRequest and Cake\Http\Response