I am using the miniOrange API Authentication module to handle API Key Authorization for my custom Rest Endpoints built by extending the REST Web Services module.
I notice that my POST and PATCH methods work perfectly fine without a CSRF token provided by the /session/token endpoint. Does API Key Authorization remove the need for CSRF tokens or why am I able to make successful POST/PATCH requests without a CSRF Token? I thought they were required...
/**
* Provides a My Resource
*
* @RestResource(
* id = "my_resource",
* label = @Translation("My Resource"),
* uri_paths = {
* "canonical" = "/my_api/test",
* "create" = "/my_api/test"
* }
* )
*/
class MyResource extends ResourceBase {
/**
* Responds to GET requests.
* @return \Drupal\rest\ResourceResponse
*/
public function get() {
$response = ['message' => 'This GET endpoint still needs to be implemented'];
return new ResourceResponse($response);
}
/**
* Responds to POST requests.
* @return \Drupal\rest\ResourceResponse
*/
public function post() {
$response = ['message' => 'This POST endpoint still needs to be implemented'];
return new ResourceResponse($response);
}
/**
* Responds to PATCH requests.
* @return \Drupal\rest\ResourceResponse
*/
public function patch() {
$response = ['message' => 'This PATCH endpoint still needs to be implemented'];
return new ResourceResponse($response);
}
