X-csrf-token SAP API POST request

Markus_Fischer1 · December 9, 2021, 7:56am

Hey Community Members,

when sending a POST request to my SAP system I have to send a x-csrf-token in the header.
The x-csrf-token can be fetched by making a GET request.
Hence, in order to make the POST request, I would have to send first a GET request fetching the token, save it somehow and use it later on for the POST request.

My question: How can I implement a logic, in AppGyver to handle this requirement? Could this be achived by simply adding custom javascript code block?

Regards,
Markus

Markus_Fischer1 · December 9, 2021, 9:25am

I think I found a solution for this problem for now.

If you have access to the SAP system you can disable the x-csrf-token mechanism in the SAP system in the transaction SICF. From there you have to finde the node with the API you want to call. Click on details and find the button “GUI_Configuration”. There you can place the following entry: ~CHECK_CSRF_TOKEN=0

You might want to add your logon credentials in the service as well.

Finally, you have to include in your request header:

x-requested-with: “X” and
accept: “application/json”

I hope this might be helpful for some people to get the API to run. However, I guess that this is not the best solution, because you need access to the SAP system. Welcoming any other approaches

This answer is based on the post of the following webpage: https://learntips.net/disable-csrf-token-for-odata-calls-using-sap-netweaver-gateway/

Mari · December 9, 2021, 9:29am

Hi @Markus_Fischer1, an alternative solution would be to use the “HTTP Request” flow function from the marketplace to make the GET call, and save the resulting token to an app variable for use in subsequent requests.

Markus_Fischer1 · December 9, 2021, 12:55pm

Hi @Mari ,
Thank you for your answer. Could you tell me how to get the headers into an app variable? Unforuntately, there is no clear structure of the object of the response header.

I assumed it has the structure of a list with objects which contains the features header and value…
But then I could not assign it to an app variable with this structure.

Mari · December 9, 2021, 2:30pm

You should be able to do it with a formula binding outputs["HTTP request"].resHeaders.map.headerName. It doesn’t work with the binding editor since it cannot be assumed beforehand which headers the response will have.

EDIT: Depending on the server this might only work on mobile though because of browser cross-origin issues, so if you’re developing a web app, the first approach might be better

Atakan_Tokgoz · December 10, 2021, 8:12pm

If you’re building an app for internal use (users logging in via VPN, citrix etc.), I think it’s fine to disable the token. But If it’s going to available for the open web, it makes sense to keep it.

Do you have the Integration Suite? CPI can handle CSRF token with each request. Additionally, APIM could be used. In C4C I use a technical user (similar to a communication user) which bypass the CSRF token altogether. Maybe something similar exists in ERP as well?

Markus_Fischer1 · December 13, 2021, 11:09am

Hey @Mari ,

Unfortunately, I am still not able to receive the header information from my GET request. I attached my current implementation of the logic part below.

HTTP-Request-Block

Alert Block

Might there be still sth wrong with my formula?

Markus_Fischer1 · December 13, 2021, 11:12am

Hi Atakan,

Thanks for the hint. I only have a trial version of the SAP Integration Suite, but I will have a look into it.

Mari · December 13, 2021, 2:07pm

Hi @Markus_Fischer1, if you use that syntax, you’ll need to input the property name as a string resHeaders.map['headerName']

Markus_Fischer1 · December 13, 2021, 2:14pm

Thank you for you reply, but still no luck, even with quotation marks.

Mari · December 13, 2021, 2:21pm

Hi, are you testing on mobile or web? Can you get out for example a 'date' response header (or anything else that the response has)?

Markus_Fischer1 · December 13, 2021, 2:29pm

I am testing on web. Unfortunately, I can’t display any response header.
Those are the response headers which I am expecting based on Postman:

Mari · December 13, 2021, 2:36pm

Hi, like I mentioned in my last comment, the server might have limitations for cross-origin requests, so you might not be allowed to read the response header:

Markus_Fischer1 · December 14, 2021, 1:26pm

After getting some tipps from Mari on how to use the javascript custom code block, I was able to get the required x-csrf-token.

Below my code:

const myHeaders = new Headers({

  'authorization': 'YOUR CREDENTIALS',

  'x-csrf-token': 'fetch',

  'accept': 'application/json'

});

const myRequest = new Request('YOUR API', {

  method: 'GET',

  headers: myHeaders,

  }

);

let response = await fetch(myRequest)

return { result: response.headers.get('x-csrf-token')}

Mari · February 16, 2022, 2:11pm

FYI @Markus_Fischer1 and anyone else who is trying to implement this in the future, the “HTTP Request” flow function’s headers output has been fixed.

You can now get the token in a subsequent node with
outputs["HTTP Request"].resHeaders["x-csrf-token"],
so the JS snippet above is no longer required.

Sinan_Serif_Tosun · March 13, 2023, 11:18am

How to do the HTTP-Request with a PATCH? That would be important as well