Skip to Content
0
Jul 03, 2019 at 10:02 AM

Cannot retrieve csrf-token in order to do a POST for a whitelist SAP API

1343 Views Last edit May 21, 2020 at 03:22 PM 2 rev

I am using an object defined as an XMLHttpRequest in order to do a GET and retrieve information that I am showing in my app. While doing so I am trying to retrieve the csrfToken in a variable of the same name. However this returns null. The token is needed because I will be doing a POST later on.

A second question would be, why is the message " CSRF validation failed" being returned when I am passing the hardcoded token in the objects setRequestHeader attribute?

A sample code can be found in the SAP API Business Hub: https://api.sap.com/api/API_MANAGE_WORKFORCE_TIMESHEET/resource

When I try to execute the calls in Postman it works fine so I'm expecting it to work in my UI5 controller as well.

Any help would be highly appreciated!

onInit: function () {

//create and set the model for the View

var model = this.getView().getModel("manageTimesheet");

this.getView().setModel(model);

var sUrl = this.getView().getModel("manageTimesheet").sServiceUrl;

var userResults = new JSONModel({ "data": {} });

var self = this; self.getView().setModel(userResults, "results");

//Do the GET Operation var data = null;

var xhr = new XMLHttpRequest();

xhr.withCredentials = false;

xhr.addEventListener("readystatechange", function () { if (this.readyState === this.DONE) { console.log(this.responseText); }

var jsonResults = JSON.parse(this.response).d.results;

self.getView().getModel("results").setProperty("/data", jsonResults); });

//setting request method

xhr.open("GET", sUrl + "/TimeSheetEntryCollection?=PersonWorkAgreementExternalID eq 'D000012'");

//adding request headers

xhr.setRequestHeader("Content-Type", "application/json");

xhr.setRequestHeader("Accept", "application/json");

xhr.setRequestHeader("X-CSRF-Token", "Fetch");

//API Key for API Sandbox

xhr.setRequestHeader("APIKey", "XXXXXXXXXXXXXXXXXXXXXXX");

var csrfToken = xhr.getResponseHeader('x-csrf-token');

xhr.setRequestHeader("Authorization", "Basic XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX");

//sending request

xhr.send(data);

//doing a POST

var dataPost = null;

var xhrPost = new XMLHttpRequest();

xhrPost.withCredentials = false;

xhrPost.addEventListener("readystatechange", function () { if (this.readyState === this.DONE) { console.log(this.responseText); } });

//setting request method

//API endpoint for API sandbox

xhrPost.open("POST", sUrl + "/TimeSheetEntryCollection", true);

//adding request headers

xhrPost.setRequestHeader("Content-Type", "application/json");

xhrPost.setRequestHeader("Accept", "application/json");

//API Key for API Sandbox xhrPost.setRequestHeader("APIKey", "FW0iwPf79VVtyqdo6PTTok6BdjHAk1hB"); xhrPost.setRequestHeader('x-csrf-Token', "CeMsHcQ2bv6Pg-tJX0-CjQ==");

//Basic Authentication

xhrPost.setRequestHeader("Authorization", "Basic XXXXXXXXXXXXXXXXXXXXXXXXXXXXX");

//sending request

xhrPost.send(dataPost); }

For the GET I was expecting the csrfToken to be returned, not be null.

For the POST (even though I am sending it with a blank payload ) I was ` expecting it to read the CSRF token ( the hardcoded one ). Could it be that I am not using the syntax correctly here?`