In this article, we will show you how you can retrieve a CSRF token and a cookie from the response headers of a REST call, and use both values as input parameters in another REST call to authorize requests.
What is a CSRF Token?
CSRF stands for ‘Cross-Site Request Forgery’ and is a type of malicious attack on web-based applications. In CSRF attacks, malicious commands are unknowingly submitted from trusted users. If a user has logged in successfully to an application, this user is authorized to send commands (for example, to create/update data) to the backend. In CSRF attacks, these commands are sent in the background, without the user knowing. Since the user authorization and parameters of these commands come from a trusted source, the command will be treated as valid and therefore be executed.
To prevent CSRF attacks, web applications using JavaScript can use the so-called ‘cookie-to-header token‘ technique. In this technique, a cookie is generated by the application, containing a random token for the session. This random token is then added to the header parameters (CSRF token header) of each request to the server, and the server can validate the request.
Read more about this topic in this article.
The Cookie-to-Header Token Technique in Simplifier
In the following section, we show you how to integrate a REST API that uses the ‘cookie-to-header token’ technique in Simplifier.
Step 1: Retrieve the CSRF Token and the Cookie
First, we need to request a CSRF token and a cookie from the server via REST API. The exact parameters required for this request depend on the REST API that you are using.
In our example, we have a REST connector called ‘Test’. This connector has a call called ‘getToken’. With this call, a CSRF token and a cookie are requested from the server. The CSRF token and the cookie are sent as response headers. To include these response headers in the result, we switch to the advanced view of the connector call detail view and add an additional input parameter: ‘configuration/http/verbosity/headers‘. We set its value to ‘Verbose‘. With this additional configuration, the result of the connector call also includes the response headers. Read more about additional connector parameters in our documentation.
We are going to use this connector call in a server-side business object and store the result.
Then, we extract the values for the CSRF token and the cookie from the result object. In our example, this looks like this (however, always check how your result object is structured):
var oResult = Simplifier.Connector.Test.getToken().result;
var myToken = oResult.Headers["x-csrf-token"].value;
var aCookies = oResult.Headers.filter(function(oHeader) {
return oHeader.name === "Set-Cookie";
});
Next, we have to extract the relevant part (CSRF part) from the cookie, since it usually also contains other information. In our example, we achieve this by using the JavaScript ‘map’ function. To check if we have extracted the correct part, we can use the Simplifier Log API and log the value of the cookie. The log entry is visible in the Logs and Monitoring section, under the tab ‘Logs’.
var sCookie = aCookies.map(function(oCookie) {
return oCookie.value.split(";")[0];
}).join("; ");
Simplifier.Log.info("cookie " + sCookie, sCookie);
Step 2: Use the CSRF Token and the Cookie in another call
Now that we have extracted the CSRF token and the cookie, we can use both values to authorize other requests.
In our example, we use them as header parameters for the connector call ‘PatchCorporateAccountCollection’.
In our server-side business object function, we call this connector call with the respective retrieved values of the CSRF token and the cookie:
var patchRequest = Simplifier.Connector.Test.PatchCorporateAccountCollection({
path: "CorporateAccountCollection('" + input.objectid + "')",
postBody: {
"ERP_ID_KUT": input.ERP_KUT_ID
},
token: myToken,
cookie: sCookie // cookie can look like this: "sap-login-XSRF_LP8=20220804073501-9ymw9yQLYRRTWVtpZ1QfYA%3d%3d;"
});
output = patchRequest;
The values of the CSRF token and the cookie will now be validated by the server. If the validation is successful, the request will be executed.
