I am using an object defined as an XMLHttpRequest in order to do a GET and retrieve information that I am showing in my app. While doing so I am trying to retrieve the csrfToken in a variable of the same name. However this returns null. The token is needed because I will be doing a POST later on.
A second question would be, why is the message " CSRF validation failed" being returned when I am passing the hardcoded token in the objects setRequestHeader attribute?
A sample code can be found in the SAP API Business Hub: https://api.sap.com/api/API_MANAGE_WORKFORCE_TIMESHEET/resource
When I try to execute the calls in Postman it works fine so I'm expecting it to work in my UI5 controller as well.
Any help would be highly appreciated!
onInit: function () {
//create and set the model for the View
var model = this.getView().getModel("manageTimesheet");
this.getView().setModel(model);
var sUrl = this.getView().getModel("manageTimesheet").sServiceUrl;
var userResults = new JSONModel({ "data": {} });
var self = this; self.getView().setModel(userResults, "results");
//Do the GET Operation var data = null;
var xhr = new XMLHttpRequest();
xhr.withCredentials = false;
xhr.addEventListener("readystatechange", function () { if (this.readyState === this.DONE) { console.log(this.responseText); }
var jsonResults = JSON.parse(this.response).d.results;
self.getView().getModel("results").setProperty("/data", jsonResults); });
//setting request method
xhr.open("GET", sUrl + "/TimeSheetEntryCollection?=PersonWorkAgreementExternalID eq 'D000012'");
//adding request headers
xhr.setRequestHeader("Content-Type", "application/json");
xhr.setRequestHeader("Accept", "application/json");
xhr.setRequestHeader("X-CSRF-Token", "Fetch");
//API Key for API Sandbox
xhr.setRequestHeader("APIKey", "XXXXXXXXXXXXXXXXXXXXXXX");
var csrfToken = xhr.getResponseHeader('x-csrf-token');
xhr.setRequestHeader("Authorization", "Basic XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX");
//sending request
xhr.send(data);
//doing a POST
var dataPost = null;
var xhrPost = new XMLHttpRequest();
xhrPost.withCredentials = false;
xhrPost.addEventListener("readystatechange", function () { if (this.readyState === this.DONE) { console.log(this.responseText); } });
//setting request method
//API endpoint for API sandbox
xhrPost.open("POST", sUrl + "/TimeSheetEntryCollection", true);
//adding request headers
xhrPost.setRequestHeader("Content-Type", "application/json");
xhrPost.setRequestHeader("Accept", "application/json");
//API Key for API Sandbox xhrPost.setRequestHeader("APIKey", "FW0iwPf79VVtyqdo6PTTok6BdjHAk1hB"); xhrPost.setRequestHeader('x-csrf-Token', "CeMsHcQ2bv6Pg-tJX0-CjQ==");
//Basic Authentication
xhrPost.setRequestHeader("Authorization", "Basic XXXXXXXXXXXXXXXXXXXXXXXXXXXXX");
//sending request
xhrPost.send(dataPost); }
For the GET I was expecting the csrfToken to be returned, not be null.
For the POST (even though I am sending it with a blank payload ) I was ` expecting it to read the CSRF token ( the hardcoded one ). Could it be that I am not using the syntax correctly here?`