Rest Step & CSRF tokens

SNNoob
Tera Expert

‎01-21-2025 06:51 AM

Hello! We are trying to make a integration using Flow Designer Actions and REST steps. In first REST step message, GET, we fetch a CSRF token in response headers and after extracting the token with a script step, we perform a POST message using REST step, where we try to send it as header of that message. Can see from test that token is sent. However, token authentication fails. Thinking that maybe issue with cookies not transferring between messages, though not sure. Definitely not a username/password issue.

 

Has anyone done something similar, some ideas on headers, etc. That could help with CSRF tokens or cookies? Thanks!

0 Helpfuls
  • 696 Views
1 REPLY 1

Community Alums
Not applicable

‎01-21-2025 07:46 AM

It sounds like you’re on the right track with extracting the CSRF token and passing it as a header in your POST request. However, for CSRF token authentication to work correctly, some systems also require the session cookies to persist between the GET and POST requests. Here are some suggestions to address this issue:

Steps to Fix the Issue

  1. Ensure Cookie Persistence:

    • REST steps in Flow Designer are stateless, so cookies from the GET response might not automatically transfer to the POST request.
    • To manage cookies, manually extract them from the GET response headers (e.g., Set-Cookie) and include them in the POST request headers as Cookie.

  2. Verify Token Format:

    • Double-check how the CSRF token is passed in the POST request. For many systems, the header might be named something like X-CSRF-Token or Authorization.
    • Confirm the exact header format required by the target API.

  3. Check Additional Headers:

    • Some APIs require additional headers like Content-Type, Accept, or even custom headers in the POST request.
    • Refer to the API documentation of the system you are integrating with.

  4. Script Step for Cookies and Token:

    • In your script step after the GET request, extract the Set-Cookie header and parse the cookie values.
    • Combine the cookies and token into the correct header formats for the POST step.

  5. Example Code for Script Step:

    var responseHeaders = steps.rest_step_name.response.headers;
var csrfToken = responseHeaders['X-CSRF-Token']; // Update key as needed
var cookies = responseHeaders['Set-Cookie'];  
var formattedCookies = cookies.map(c => c.split(';')[0]).join('; ');  

// Output token and cookies for use in next step  
outputs.csrfToken = csrfToken;  
outputs.cookies = formattedCookies;

  6. Include in POST Headers:

    • In the POST REST step, add:
      • X-CSRF-Token: ${outputs.csrfToken}
      • Cookie: ${outputs.cookies}

Debugging Tips

  • Test the POST request in tools like Postman first, ensuring headers and cookies are set correctly.
  • Use logging in the script step to verify that the token and cookies are extracted properly.

If this resolves your issue, please mark this as the answer and press the Helpful button to support others facing similar challenges. 😊