The following works on 3 sites but doesn't work on 1. I've restored the site from the backup of another site, and this works, until it doesn't work the next day. I've reinstalled modules.

I make the following POST request:

POST /node?_format=hal_json HTTP/1.1 Content-Type: application/hal+json Accept-Encoding: gzip;q=1.0,deflate;q=0.6,identity;q=0.3 Accept: */* User-Agent: Ruby Authorization: Basic <authstr> Connection: close Host: <domain> Content-Length: 215 " <- "{\"_links\":{\"type\":{\"href\":\"https://<domain>/rest/type/node/article\"}},\"title\":[{\"value\":\"2024-03-15 Test\"}],\"body\":[{\"value\":\"\\u003cimg src='' alt='' /\\u003e\",\"format\":\"full_html\"}],\"type\":[{\"target_id\":\"article\"}]}"

where <authstr> and <domain> are my reasonable values. I'm getting <Net::HTTPForbidden 403 Forbidden readbody=true>

with message:

 "{\"message\":\"The used authentication method is not allowed on this route.\"}"

modules:

HAL @ 1.0.3 HTTP Basic Authentication @ 9.5.11 restui @ 8.x-1.21 RESTful Web Services @ 9.5.11 drupal @ 9.5 something

~ * ~ * ~ * ~

The Solution

As it turned out, the problem was that I created a /node Page, with content: <script>window.location = '/some-redirect'</script> and assigned that as the front page. This is perfectly reasonable behavior. And it broke a POST route, with the error ^ described in the question! I'd say this is a bug in Drupal. Deleting the page that does javascript redirect, fixed this issue.

What is also important is that /node is the default homepage route, so you may inadvertently do something on that page, breaking REST. I'd recommend not using /node at all, other than for REST POST'ing.