Problem/Motivation

The /api/ai-content-chat/ask POST endpoint currently has no CSRF token validation. This means any external website could craft a form or JavaScript request that sends chat requests on behalf of an authenticated user (Cross-Site Request Forgery).
While the endpoint only returns AI-generated text (no data modification), it still poses a risk:
External sites could consume AI API credits by triggering requests through a user's session
It could be used to probe indexed content from another domain

Proposed resolution

Add Drupal's built-in CSRF token validation to the API endpoint:

  1. Add X-Drupal-Ajax-Token header validation in the controller, or use the _csrf_token route requirement
  2. Update the JavaScript to include the CSRF token in API requests via drupalSettings

Issue fork 3569915-3573405

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

  • main Comparechanges, plain diff MR !5
About issue forks

Comments

solimanharkas created an issue. See original summary.

solimanharkas opened merge request !5

solimanharkas’s picture

solimanharkas commented
Assigned: solimanharkas » Unassigned
Status: Needs work » Fixed

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.