2

Main feature file login-with-cookie.feature

Feature: Login using API

  Scenario: login with csrftoken

    * call read('file:src/test/java/lib/accounts/login/get-middleware-token.feature')
    * print response
    * def csrfmiddlewaretoken = response.token
    * print csrfmiddlewaretokenOnly
    * call read('file:src/test/java/lib/accounts/login/login.feature') { token: '#(csrfmiddlewaretokenOnly)' }

And get-middleware-token.feature looks like this:

Feature: Middleware token

  Scenario: get csrfmiddlewaretoken
    Given url baseUrl + '/token/'
    When method GET
    Then status 200

And login.feature is

Feature: Login using API
  
  Scenario: login
    Given url baseUrl + '/accounts/login/'
    And form field csrfmiddlewaretoken = token
    And form field login = user
    And form field password = password
    And form field next = '/'
    When method POST
    Then status 302

However, when it's run, karate is sending 2 requests for the login API (I'm assuming because the first one is not getting the session_id), and in the end not login the user in - getting unauthorized (most likely because it's now dragging 2 csrftokens in the second request).

10:11:15.933 request:
1 > POST https://stage.pollyex.com/accounts/login/
1 > Content-Type: application/x-www-form-urlencoded
1 > Cookie: csrftoken=<token1>
1 > Content-Length: 132
1 > Host: stage.pollyex.com
1 > Connection: Keep-Alive
1 > User-Agent: Apache-HttpClient/4.5.13 (Java/11.0.18)
1 > Accept-Encoding: gzip,deflate
csrfmiddlewaretoken=<middlewaretoken>&login=user&password=password&next=%2F

10:11:16.207 request:
2 > POST https://stage.pollyex.com/accounts/login/
2 > Content-Type: application/x-www-form-urlencoded
2 > Cookie: csrftoken=<token1>
2 > Cookie: csrftoken=<token2> messages=<messages>; sessionid=<session-id>
2 > Host: stage.pollyex.com
2 > Connection: Keep-Alive
2 > User-Agent: Apache-HttpClient/4.5.13 (Java/11.0.18)
2 > Accept-Encoding: gzip,deflate
csrfmiddlewaretoken=<middlewaretoken>&login=user&password=password&next=%2F

I'm doing the same exact call with cypress and it works with no problem. Any idea?

IsabelleT
  • 23
  • 4
  • can't make out from this. most likely, the feature is being run twice. I recommend you follow this process: https://github.com/karatelabs/karate/wiki/How-to-Submit-an-Issue – Peter Thomas Mar 14 '23 at 04:22
  • Unfortunately, I can't give anyone access to our app that is using the csrf tokens, and I don't think I have the time to built up a whole new application to be able to reproduce the issue. So I guess I'm out of luck. Not seeing why the feature would be called twice since the call in login-with-cookie.feature only calls it twice. That's the whole code there. – IsabelleT Mar 16 '23 at 16:21
  • the second request has an extra cookie which makes me worried if this is an edge-case bug in karate and the HTTP client is re-trying the request for some reason. so I really do think a way to replicate is needed. you can experiment with setting cookies manually and setting `configure followRedirects = false` – Peter Thomas Mar 17 '23 at 02:37
  • 1
    Oh my! You totally solved my issue. Setting * configure followRedirects = false made it work. Now there is just one request sent and the user gets logged in. Thanks a lot! – IsabelleT Mar 18 '23 at 04:25
  • that is great to hear. have added an answer, please do mark it as `accepted` (and upvote) to help others – Peter Thomas Mar 18 '23 at 04:42

1 Answers1

1

Confirmed answer from comments thread, set * configure followRedirects = false.

Peter Thomas
  • 54,465
  • 21
  • 84
  • 248