I am still working on expanding on the latest play-silhouette 6.0.0 seed.
I added a JWT environment in order to expose an API service (annotated by Swagger) for apps.
Everything is working fine (apparently at least).
But when I send a request (a POST request) without the
X-Auth-Token header to a secured
silhouette.SecuredAction I get a
500 Undocumented Error: Internal Server Error saying
[RuntimeException: No CSRF token was generated for this request! Is the CSRF filter installed?]
The same happens if the
X-Auth-Token is wrong.
Instead if it is the correct one, the action succeeds.
This does not change even if I add a local error handler in the controller, checking
onNotAuthorized, so I guess the issue is deeper and probably more rooted into Play than Silhouette.
Nevertheless, since I guess this should be quite a common use case for Silhouette, I try asking here. So far I didn’t touch the seed configuration regarding CSRF.
Can you help me to understand and possibly mitigate?