Skip to Content
avatar image
Former Member

How do I set the X-CSRF-Token correctly in an Alexa POST Request to SAP HANA? (403 error)

Hello community,

I have a problem with the x-csrf-token validation with regard to a HTTPS-Post-Request. The request comes from a Lambda function triggered by an Amazon Alexa skill and is sent to a XSO Data file running on the SAP Cloud Platform in an SAP HANA Database. I use Javascript/Node.js.

A valid token is set in the request header (see code in the first picture below) but the response header shows for the x-csrf-token "required" (see code in the second picture below). So there is an error with the validation. The same post request with POSTMAN works correctly, but when I try it via a JS File as a Lambda function (in the first picture) there it comes this error with HTTP status code 403 (see code in the second picture below). The POST request itself does work, but the token validation not. GET requests work fine.


Does anybody know a possible solution?

Thank you very much!

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Dec 21, 2017 at 12:14 PM

    Hi Jon,

    this might be caused by various things:

    1) You're sending the Users credentials as base64 encoded string in the Authorization header. Make sure the user has the rights to access the XS service.

    2) Check the .xsaccess file. Do you allow POST requests? (see https://help.sap.com/doc/400066065a1b46cf91df0ab436404ddc/2.0.02/en-US/a9fc5c220d744180850996e2f5d34d6c.html chapter "cors")

    For me this cors config works fine:

    "cors":{"enabled":true,"allowMethods": ["GET","POST","HEAD","OPTIONS"],"allowOrigin": ["*"], "maxAge":"3600"}

    3) Cross-site request forgery tokens have limited lifetime. Try to generate a new token for every request. Maybe you can translate this JavaScript coding into the right AWS lambda function code. If nested requests are not an option, try to call the service synchronously.

    $.ajax({
    	type: 'GET',
    	url: sUrl,
    	headers: {
    		"X-CSRF-Token" : "Fetch"	
    	},
    	success: function(oData, textStatus, request) {
    		var sToken = request.getResponseHeader('X-CSRF-Token');
    		$.ajax({
    			type:'POST',
    			url: sUrl,
    			headers: {
    				"X-CSRF-Token" : sToken	
    			},
    			success: function(oData) {
    				alert(oData);
    			}
    		});
    	}
    });
    
    

    Best regards
    Daniel

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Hi Daniel,

      sorry for the late response.

      I have already tried your options out but unfortunately it does not solve the problem.

      Nevertheless, thank you very much for your answer and your help!

      BR