Skip to content

Instantly share code, notes, and snippets.

@mmcev106

mmcev106/v8.md

Created May 18, 2021 15:41
Show Gist options
  • Save mmcev106/2d45fad345761826a781e3204f6e5d85 to your computer and use it in GitHub Desktop.
Save mmcev106/2d45fad345761826a781e3204f6e5d85 to your computer and use it in GitHub Desktop.
Download ZIP
REDCap External Module Framework Proposed v8 Documentation
Raw
v8.md

Framework Version 8

See the Framework Intro page for more details on framework versions in general.

Breaking Changes

  • A valid redcap_csrf_token parameter is now required on almost all POST requests, but will be automatically added behind the scenes in many cases.

    • Many module pages where the REDCap headers are included will not require any changes because the redcap_csrf_token parameter will automatically be added to static forms and jQuery post() method calls.

    • The redcap_csrf_token POST parameter will need to be added to dynamically generated forms, jQuery ajax() calls, non-jQuery javascript requests, and POST requests on pages where the REDCap headers are not included. In those cases, the $module->getCSRFToken() method should be used to set the value of the redcap_csrf_token POST parameter. All POST requests made by module code should be tested before releasing a module update for this framework version.

    • For the very small number of pages where CSRF tokens should not be required (like custom APIs), pages can be omitted from CSRF checking by added them to config.json as follows (similar fashion to no-auth-pages). See the Configuration Example module for an example. Do NOT abuse this feature by using it in cases where you should be using CSRF tokens:

      {
    "no-csrf-pages": [
        "some-page"
    ]
}
  • If skipping framework versions, do not forget to review/address the breaking changes from all prior framework versions.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment