0
votes

I have a bizarre issue with Drupal's REST API that I can't work out.

The exact same POST to /user/login?_format=json does NOT work in Postman (error 403 Forbidden) but with same parameters it works correctly in CURL.

This Curl works: curl --header "Content-type: application/json" --request POST --data '{"name":"bobo", "pass":"xxx"}' http://[domain]/user/login?_format=json

I get back json with the uid, name, a csrf token, logout token and any roles.

Now in Postman, I select Post, my url is "http://[domain]/user/login?_format=json" for header i select 'Content-Type' and value 'application/json' and paste the {"name":"bobo", "pass":"xxx"} section into 'raw' under body.

Now I get 403 Forbidden and response: {"message":""}

Is there a setting in Postman I'm missing or is this a bug somewhere?? It seems utterly bizarre to me.

1
finding out with more testing that it works the first time in Postman, and returns a cookie; ONLY if I delete the cookie will the request work - bobomoreno
however it still doesn't work from a javascript api that is NOT sending a cookie (from iOS); still get 403, what is wrong with this endpoint? Can I make it public somewhere?? - bobomoreno

1 Answers

1
votes

Actually, all is correct here.

User should be logged out to access /user/login endpoint (check user.routing.yml). Unlike curl, Postman behaves as a browser, i.e. saves all session cookies, so you are just logged in after first call and can't anymore access login endpoint. You may call /user/logout after logging in to be able to call it again.

Thus, I think your code works properly :)