0

I am trying POST operation on SAP Hybris C4C entity.

I came across many blogs where it was mentioned that we need to send X-CSRF-Token during POST which can first be retrieved using GET operation.

I was successfully able to do that using Postman. as Postman stores cookie not causing to CSRF token validation failure.

But, I actually want to call this using golang. And I was getting everytime error as "CSRF token validation failed". Then after going through many blogs I found we not only have to set X-CSRF-Token but also Cookie so that HTTP POST is not treated as new session. otherwise the csrf token we sent does not match with current session causing error.

Even after following above two leads, I am still getting error. Below is the code snippet, I am not sure what else is missing.

Code snippet: 

auth := "******:*****"
basicAuth := base64.StdEncoding.EncodeToString([]byte(auth))

geturl := "https://******.crm.ondemand.com/sap/c4c/odata/v1/c4codataapi"
req, _ := http.NewRequest("GET", geturl, nil)
req.Header.Set("Authorization", "Basic "+basicAuth)
req.Header.Set("X-Csrf-Token", "Fetch")
cli := &http.Client{}
res, _ := cli.Do(req)

inputMap := make(map[string]interface{})
inputMap["PriorityCodeText"] = "Normal"
inputJSON, _ := json.Marshal(inputMap)

url := "https://*******.crm.ondemand.com/sap/c4c/odata/v1/c4codataapi/OpportunityCollection"
request, _ := http.NewRequest("POST", url, bytes.NewBuffer(inputJSON))
request.Header.Set("Authorization", "Basic "+basicAuth)
request.Header.Set("X-Csrf-Token", res.Header.Get("X-Csrf-Token"))
request.Header.Set("Cookie", res.Header.Get("Set-Cookie"))
request.Header.Set("X-Requested-With", "XMLHttpRequest")
request.Header.Set("Content-Type", "application/atomsvc+xml")
request.Header.Set("DataServiceVersion", "2.0")
//request.Header.Set("Accept", "application/atom+xml")
client := &http.Client{}
resp, _ := client.Do(request)
fmt.Printf("Response status code is: %d", resp.StatusCode)
jsonResponseData, _ := ioutil.ReadAll(resp.Body)
fmt.Printf("Response is: %s", jsonResponseData)
Sandra Rossi
  • 11,934
  • 5
  • 22
  • 48
Asha Kabra
  • 41
  • 1
  • 1
  • 6
  • there could be more that one cookie needed for session here. better than copying cookies use cookie jar that takes care of cookie handling.. this could help https://stackoverflow.com/questions/12756782/go-http-post-and-use-cookies#19386573 – gp. Oct 07 '18 at 12:08

2 Answers2

1

It worked! As mentioned by @gp, I had to copy all cookies instead of just setting header. I did below change in code snippet

//request.Header.Set("Cookie", res.Header.Get("Set-Cookie"))
for i := 0; i < len(res.Cookies()); i++ {
    request.AddCookie(res.Cookies()[i])
}
Asha Kabra
  • 41
  • 1
  • 1
  • 6
0

I face it with tomcat 9 sometimes, in my case, just logout and relogin solve the issue.
It seems that the java app was using an expired cookie but didn't redirect me to the logout page by mistake.

Hasnaa Ibraheem
  • 1,132
  • 1
  • 10
  • 18