https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36094
--- Comment #21 from David Cook <dc...@prosentient.com.au> --- (In reply to Jonathan Druart from comment #20) > why not simply reject if the request_method ne "POST"? Because the GET is used to obtain the CSRF in order to do the POST like I describe in https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36094#c14 If MarcEdit is trying to use the SVC API, they'll first do a GET against svc/authentication to get the initial CSRF token and to check if they're authenticated already (since the SVC API uses cookie auth). If they're not authenticated, then they POST to svc/authentication to login using the CSRF token they got from the previous GET. They could then use the CSRF token they get back from the POST to do the next operation. (In theory all the SVC endpoints should return a CSRF token in their response headers, but I haven't gotten that far. I think you've mentioned elsewhere that the primary concern is Koha's internal use of SVC API so fair enough. But as Katrin mentions in Comment 2 we do need to think about external users too, so I've still got it on my mind.) -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/