I’m currently developing an app that will expose some REST API resources so that another system can integrate with Nextcloud.
I wonder why the official tutorial at https://docs.nextcloud.com/server/21/developer_manual/app_development/tutorial.html#adding-a-restful-api-optional recommends to add the
@NoCSRFRequired annotation to controller methods. It says:
The only pieces that need to be changed are the annotations which disable the CSRF check (not needed for a REST call usually)
Why should CSRF checking not be needed for REST?
Because if the API allows to change the state of resources, can’t the user be tricked to submit a forged request?
Side note: I already tried to keep CSRF active and construct a sample script with cURL that sends the CSRF token. Unfortunately I had no success so far.