Skip to Content
Oct 09 at 08:30 PM

Issues with autobatched requests and x-csrf-tokens

229 Views Last edit Oct 09 at 10:09 PM 3 rev


I am trying to upgrade our project from CDS 5.9.5 to 6.1.3. I am getting issues with the new handling of csrf tokens and autobatched requests.

It is "libx/_runtim/remote/utils/client.js" which used to have this

  if (PPPD[requestConfig.method] && cds.env.features.fetch_csrf) {
    requestOptions = { fetchCsrfToken: true }

and now has this

  if (PPPD[requestConfig.method]) {
    // For GET requests, one doesn't need to fetch CSRF tokens.
    // Once we support batch requests (other than autoBatched GET requests),
    // we must check the respective subrequests.
    const csrfRequired = requestConfig._autoBatch ? false : cds.env.features.fetch_csrf === true
    requestOptions = { fetchCsrfToken: csrfRequired }

The endpoint we are accessing is SAP Business ByDesign which does not accept a $batch POST without x-csrf-token even though the actual contained request is a single GET.

Workaround for now is to set the "max_get_url_length" parameter of the service large enough to avoid the autobatched requests. This works so far, but is not a proper solution either.

Can we get an improved way to cope with this? If I may suggest, I think the csrf-related options should sit at service level, not as a global feature flag, and allow for the different flavors other systems adhere to. Otherwise we get into issues whenever we mix remote services with different policies.

Thanks in advance!