Skip to Content
0

How do I set the X-CSRF-Token correctly in an Alexa POST Request to SAP HANA? (403 error)

Dec 19, 2017 at 05:36 PM

197

avatar image
Former Member

Hello community,

I have a problem with the x-csrf-token validation with regard to a HTTPS-Post-Request. The request comes from a Lambda function triggered by an Amazon Alexa skill and is sent to a XSO Data file running on the SAP Cloud Platform in an SAP HANA Database. I use Javascript/Node.js.

A valid token is set in the request header (see code in the first picture below) but the response header shows for the x-csrf-token "required" (see code in the second picture below). So there is an error with the validation. The same post request with POSTMAN works correctly, but when I try it via a JS File as a Lambda function (in the first picture) there it comes this error with HTTP status code 403 (see code in the second picture below). The POST request itself does work, but the token validation not. GET requests work fine.


Does anybody know a possible solution?

Thank you very much!

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

1 Answer

Daniel Degraf
Dec 21, 2017 at 12:14 PM
0

Hi Jon,

this might be caused by various things:

1) You're sending the Users credentials as base64 encoded string in the Authorization header. Make sure the user has the rights to access the XS service.

2) Check the .xsaccess file. Do you allow POST requests? (see https://help.sap.com/doc/400066065a1b46cf91df0ab436404ddc/2.0.02/en-US/a9fc5c220d744180850996e2f5d34d6c.html chapter "cors")

For me this cors config works fine:

"cors":{"enabled":true,"allowMethods": ["GET","POST","HEAD","OPTIONS"],"allowOrigin": ["*"], "maxAge":"3600"}

3) Cross-site request forgery tokens have limited lifetime. Try to generate a new token for every request. Maybe you can translate this JavaScript coding into the right AWS lambda function code. If nested requests are not an option, try to call the service synchronously.

$.ajax({
	type: 'GET',
	url: sUrl,
	headers: {
		"X-CSRF-Token" : "Fetch"	
	},
	success: function(oData, textStatus, request) {
		var sToken = request.getResponseHeader('X-CSRF-Token');
		$.ajax({
			type:'POST',
			url: sUrl,
			headers: {
				"X-CSRF-Token" : sToken	
			},
			success: function(oData) {
				alert(oData);
			}
		});
	}
});

Best regards
Daniel

Show 1 Share
10 |10000 characters needed characters left characters exceeded
Former Member

Hi Daniel,

sorry for the late response.

I have already tried your options out but unfortunately it does not solve the problem.

Nevertheless, thank you very much for your answer and your help!

BR

0