Problem/Motivation

Despite including the `x-csrf-token` in the request header when using the webform REST to submit a form, the response is 200 even when the `x-csrf-token` is not included. This behavior contradicts the expectation that a valid `x-csrf-token` is required for successful submissions.

Steps to reproduce

1. Grant permission to anonymous users for "Webform Submit POST" under "RESTful Web Services" at `/admin/people/permissions`.
2. Enable "Webform Submit" at `/admin/config/services/rest`.
3. Execute the command curl -X POST -H "Content-Type: application/json" -H "X-CSRF-Token: {x_csrf_token}" -d '{"webform_id": "{webform_name}", "message": "{message_text}"}' {website_url}/webform_rest/submit.
4. Also, execute the command without `x-csrf-token` in the header and observe the response.

Proposed resolution

Investigate and modify the system to ensure that the submission only succeeds (returns 200) when a valid `x-csrf-token` is included in the request.

Remaining tasks

- Identify the cause of the issue.
- Implement necessary changes to enforce `x-csrf-token` validation.
- Test to confirm that the issue is resolved.

User interface changes

N/A

API changes

This change will impact the API behavior to correctly validate `x-csrf-token` in the request header.

Data model changes

N/A

Comments

sahksas created an issue. See original summary.

sahksas’s picture

sahksas commented
Issue summary: View changes
imclean’s picture

imclean commented
Related issues: +#2730351: CSRF check always fails for users without a session, +#1803712: Allow form tokens to be used on anonymous forms in some cases
nilesh.addweb’s picture

nilesh.addweb commented

Hi, I have checked with two different condition

1. Without Grant permission to anonymous users for "Webform Submit POST"

 curl -X POST -H "Content-Type: application/json" -H "X-CSRF-Token:gtoonH1Rj0gtCJzmOLW-6E1KkWe6ldb5KgDRgz97z5A" -d '{"webform_id": "inquiry", "name": "demo name", email="demo@gmail.com"}' http://lando-d10.lndo.site:8000/webform_rest/submit
{"message":"The \u0027restful post webform_rest_submit\u0027 permission is required."}

For make post request you need to pass cookie also with `x-csrf-token`

curl --location 'http://lando-d10.lndo.site:8000/webform_rest/submit?_format=json' \
--header 'Content-Type: application/json' \
--header 'X-CSRF-TOKEN: gtoonH1Rj0gtCJzmOLW-6E1KkWe6ldb5KgDRgz97z5A' \
--header 'Cookie: SESS93092389ae524832432597fba32d9747=boHyZiQHKHMPSZfQpvt6esNA0xApZhn2fQqvttTVJ678dePs' \
--data-raw '{
   "webform_id": "inquiry",
    "email": "demo@gmail.com",
    "name": "demo name",
}'

2. After grant permission to anonymous users you can submit post request but it will not validate `x-csrf-token` any more.

damienmckenna’s picture

damienmckenna
Location TN, USA
commented
Title: Authentication Not Performed via x-csrf-token. » Authentication not performed via x-csrf-token

I'm seeing a similar issue that's equally puzzling.

It's a GET request to webform_rest/WEBFORMID/elements, using basic_auth with a user account that has the "restful get webform_rest_elements" permission, the API request returns a 403 with the message "The 'restful get webform_rest_elements' permission is required." However, looking at dblog I see a message for the 403 reaction but it shows the user was logged in, the API failure was not for the anonymous user!

damienmckenna’s picture

damienmckenna
Location TN, USA
commented

In the end I deleted the user account and recreated it - same credentials, same role, and it worked. So something was borked somewhere.

acbramley’s picture

acbramley commented
Status: Active » Closed (works as designed)

CSRF validation does not apply to anonymous users

https://git.drupalcode.org/project/drupal/-/blob/11.x/core/lib/Drupal/Co...