Migrate from 3.2 to 3.6: REST API stops working

Hello,

After 2 years, I decide to migrate cakephp core of my website to the latest version.
After the migration, I have to fixed many errors and warnings to make my website work normally.
Last trouble is REST API. It works fine with cakephp 3.2 but not with 3.6.
Here is my routes.php configuration for REST:
Router::prefix(‘api’, function ($routes) {
$routes->setExtensions([‘json’]);
$routes->resources(‘Readings’, [
‘map’ => [
‘check_updates’ => [
‘action’ => ‘getUpdateInfo’,
‘method’ => ‘POST’
]
]
]);
});
My REST controllers are in /src/Controller/Api
There is another AppController in this folder, for REST only.
When I use Postman to send request, Invalid CSRF exception occurs, and then it goes to the AppController of the web, not the AppController in the Api folder.
How can I fix this?
I’m not familiar to the Middleware of new version.

Thank you very much,
Long

I have figured it out.
Thank you very much.
Please close this topic.

it would be great if you post what you figured out, so others people with similar problem can use this post

OK.
As I guess, the issue’s caused by the Middleware.
In Application, CsrfProtectionMiddleware has been added by default.
I have to write a function (Application/middleware) to check the prefix, if it is api then do the normal request, if not, use the CsrfProtectionMiddleware like this:

            // Use CSRF protection for web only, not API request
            ->add(function (
                ServerRequest $request,
                Response $response,
                callable $next
            ) {
                $params = $request->getAttribute('params');
                if (isset($params['prefix']) && 'api' == $params['prefix']) {
                    return $next($request, $response);
                }
                $csrf = new CsrfProtectionMiddleware([
                    'httpOnly' => true
                ]);

                return $csrf($request, $response, $next);                
            });

You should use Cake\Http\ServerRequest and Cake\Http\Response

Use lower case /src/Controller/Api -> /src/Controller/api
it works for me