When using JSON, if no auth is provided, an empty error is returned. The error is for a missing CSRF token. CSRF tokens shouldn't be checked on api requests at all, since they should never be present.

{
    "success": false,
    "message": "An unexpected error occurred.",
    "code": null
}

I'm not seeing why this should be any different than all other pages. Could you give it a try with removing the detect_xhr before_action in the controller?

Same issue with that removed

Eh, alright. I'll take a look at this when I get rid of the old iqdb implementation, or give this a shot yourself (if you want)

Works just fine with a GET request, however.

Well, I have figured it out. This does happen in the other routes, POST /wiki_pages.json and POST /uploads.json for example, routes I tested and saw the same. So it's more, csrf being checked if api authentication isn't present, even if the response format is json. If the CSRF check didn't happen, the expected Access Denied response would be returned (on other routes, you'd get through fine here)

Though IQDB specifically, I'm seeing a plain null returned when not providing any parameters. That's probably something that should be changed to the relevant format for each, or return an error.

Works just fine with a GET request, however.

CSRF protection is disabled for GET requests.

I don't really feel like touching this:

The easiest solution to me is changing the error from unexpetect to expected with som nice message:

I don't really feel like touching this:

I really don't blame you there

The easiest solution to me is changing the error from unexpetect to expected with som nice message:

Having a proper error message there would be nice, so we at least know what's happening

Though for IQDB specifically, is there really a reason for it to have csrf protection? I'm sure it's a default of forms and not a deliberate decision, but surely it could be disabled on that route. I can't see any reason for it to require csrf protection besides maybe mitigating spam by unauthenticatrd users, and that's shaky at best.

IQDB is already rate limited to 1 request every 2 seconds for everyone. This endpoint really should be GET but you must also be able to upload files. There should be something I can use to skip CSRF per controller. Just putting skip_forgery_protection in it seems like it should do the job just fine

This endpoint really should be GET but you must also be able to upload files.

I honestly didn't even know it could be a get until faucet mentioned it. I was specifically uploading a file though when testing.