Include example of http API call using the mattermost-redux client options

[mickmister]

Summary

With the MM server config setting ServiceSettings.ExperimentalStrictCSRFEnforcement enabled, any POST request that does not include the CSRF token supplied by the server will be rejected. In order to include the CSRF header supplied by the MM server, the webapp can use the getOptions method in the mattermost-redux client.

Tasks

1. Update package.json to include the latest commit hash of mattermost-redux, similar to this method. Then run npm install in the webapp directory
2. Create a server-side endpoint that requires the HTTP method to be POST
3. Create a HTTP request in the webapp side of the plugin to hit this endpoint
   • Ensure Client.getOptions is used to create options for the request
   • An example can be found here

Testing

Enable ExperimentalStrictCSRFEnforcement in the MM server's config/config.json file, then restart the server if it is already running. With this value enabled, the API call will only succeed when including the CSRF token.

[hanzei]

@mickmister I'm wondering if 2. and 3. should better take place in https://github.com/mattermost/mattermost-plugin-demo. I would like to keep the repo as minimal as possible given that it's often cloned. Let me know what you think.

[mickmister]

@hanzei Makes sense to me. I just don't want someone to start developing a plugin that requires a webapp side, and then releasing a build that doesn't work with the CSRF settings on the server. Maybe we instead point to the demo plugin example in this repo's README?

[hanzei]

Maybe even add a section to https://developers.mattermost.com/extend/plugins/webapp/best-practices/