Summary
With the MM server config setting ServiceSettings.ExperimentalStrictCSRFEnforcement enabled, any POST request that does not include the CSRF token supplied by the server will be rejected. In order to include the CSRF header supplied by the MM server, the webapp can use the getOptions method in the mattermost-redux client.
Tasks
- Update
package.json to include the latest commit hash of mattermost-redux, similar to this method. Then run npm install in the webapp directory
- Create a server-side endpoint that requires the HTTP method to be
POST
- Create a HTTP request in the webapp side of the plugin to hit this endpoint
- Ensure
Client.getOptions is used to create options for the request
- An example can be found here
Testing
Enable ExperimentalStrictCSRFEnforcement in the MM server's config/config.json file, then restart the server if it is already running. With this value enabled, the API call will only succeed when including the CSRF token.
Summary
With the MM server config setting
ServiceSettings.ExperimentalStrictCSRFEnforcementenabled, anyPOSTrequest that does not include the CSRF token supplied by the server will be rejected. In order to include the CSRF header supplied by the MM server, the webapp can use thegetOptionsmethod in themattermost-reduxclient.Tasks
package.jsonto include the latest commit hash ofmattermost-redux, similar to this method. Then runnpm installin the webapp directoryPOSTClient.getOptionsis used to create options for the requestTesting
Enable
ExperimentalStrictCSRFEnforcementin the MM server'sconfig/config.jsonfile, then restart the server if it is already running. With this value enabled, the API call will only succeed when including the CSRF token.