Unable to send messages via API

[rugarci]

Hi, I am trying to send message via API with

curl -H "Authorization: Bearer mm_v1_39..." -X POST http://host/api/v1/messages -H "Content-Type: application/json" -d '{ "text": "Private message via API", "toNodeId": "!ffffffff" }'

but I am getting this error in HTTP response:
{"error":"CSRF token required. Please refresh the page and try again."}

and in container logs:
[WARN] CSRF validation failed: No request token for POST /v1/messages

Other calls like GET /api/v1/nodes work. Any clue?

Thanks!

[Yeraze]

Root Cause

The CSRF protection middleware was being applied to all /api routes, including the v1 API which uses Bearer token authentication. CSRF protection is designed for browser-based session authentication (cookies), not for API token authentication.

Bearer token authentication is inherently protected against CSRF attacks because:

1. Tokens are not stored in browser cookies
2. Tokens must be explicitly added to the Authorization header
3. Attackers cannot trick a browser into adding a Bearer token to requests

Fix

PR #1191 updates the CSRF middleware to skip protection when a Bearer token is present in the Authorization header.

Once merged, your curl command will work:

curl -H "Authorization: Bearer mm_v1_39..." \
     -X POST http://host/api/v1/messages \
     -H "Content-Type: application/json" \
     -d '{"text": "Private message via API", "toNodeId": "!ffffffff"}'

The fix will be in the next release. Thanks for reporting this!

[TheHobBytes]

Hello,
fix works now, but same problem to send messages to channel with

curl -sS -H "Authorization: Bearer mm_v1_a3a..." -H "Content-Type: application/json" -X POST http://host/api/v1/messages -d '"channel": 0, "text": "API Test", "wantResponse": false}'

getting this error in HTTP response

{"error":"Internal server error","message":"Something went wrong"}

[Yeraze]

@TheHobBytes The issue is with your JSON syntax - it is missing the opening brace {.

Your command:

-d "\"channel\": 0, \"text\": \"API Test\", \"wantResponse\": false}"

Should be:

-d "{\"channel\": 0, \"text\": \"API Test\"}"

The server was returning a generic 500 error because the JSON parsing error was not being handled properly. PR #1280 fixes this to return a helpful 400 error message instead.

In the meantime, try this corrected command:

curl -sS -H "Authorization: Bearer mm_v1_..." \
     -H "Content-Type: application/json" \
     -X POST http://host/api/v1/messages \
     -d "{\"channel\": 0, \"text\": \"API Test\"}"

Note: wantResponse is not a supported parameter - just use channel and text.