Authentication in Newman using XSRF-TOKEN and Cookies: I'm obtaining 200 in Postman and 401 in Newman

research-candidate-3 · December 29, 2022, 12:00pm

I’m a beginner in Newman and trying to make a proof of concept to evaluate this tool.
I’ve used it before but with basic authentication and never had this kind of problem.
The thing is, I’m obtaining different results, running the same collection from Postman and from Newman.

The collection is pretty simple:

1. login request: POST /login
1. create item request: POST /my-api/items

The issue is with the second request. From Postman, I get a 200 OK, and from Newman, the same request returns 401 Unauthorized.
So, it seems to be an issue with the authorization.

This is what I know about how the authorization works for this API:
It consists of 2 things:

An XSRF-TOKEN that is passed as header (x-xsrf-token)
and 2 cookies (xsrf-token and session).

These values are obtained from the login request, specifically from the response headers, where we have 2 Set-Cookie headers with the corresponding values for the cookies. The xsrf-token that then is passed as a header is the same value that is stored as a cookie.

How I’m obtaining the values and using them

In the request 1 (login) I have the following code in the Test tab:

// Save cookies from response headers to use it in subsequent requests 
const cookies = pm.response.headers.all().filter(headerObj => headerObj.key === 'Set-Cookie').map(headerObj => headerObj.value.split(';')[0]);
pm.environment.set('cookies', cookies.join('; '));

// Save XSRF token obtained from the set-cookie header to use it in subsequent requests
const xsrf_token = cookies[0].split('=')[1].split(';')[0].replace('%3D','=')
pm.environment.set("X-XSRF-TOKEN", xsrf_token)

If I print the saved values I obtain something like this:

eyJpdiI6IkNKTjhwTFlVSi9oM3pMelpaQnlJdVE9PSIsInZhbHVlIjoiWlo5eTJmNEJMUVo4Sk9FY3ZjNFNDbWpQNkswK1JzMnhXeS9WeE0zM3Y0cG51ZWo4RGRXNjdqbFEwSWVmSHBRTHIvZkkwRjkxRzFpRC9Gck9tTkpXdE8xVFdkcWtPaUV2MGdCSXY3V3lTcm9Qam1ocWFvSkorUzlMbStneURFRDEiLCJtYWMiOiIzODJhOTlhZjM4NTI0MTU2MDYzMmMxNzYwODc3MjY2YzFlN2M5N2VlNmEwNjk5M2ZlODg2ZjVmMTdjOWY2OWM1IiwidGFnIjoiIn0=

XSRF-TOKEN=eyJpdiI6IkNKTjhwTFlVSi9oM3pMelpaQnlJdVE9PSIsInZhbHVlIjoiWlo5eTJmNEJMUVo4Sk9FY3ZjNFNDbWpQNkswK1JzMnhXeS9WeE0zM3Y0cG51ZWo4RGRXNjdqbFEwSWVmSHBRTHIvZkkwRjkxRzFpRC9Gck9tTkpXdE8xVFdkcWtPaUV2MGdCSXY3V3lTcm9Qam1ocWFvSkorUzlMbStneURFRDEiLCJtYWMiOiIzODJhOTlhZjM4NTI0MTU2MDYzMmMxNzYwODc3MjY2YzFlN2M5N2VlNmEwNjk5M2ZlODg2ZjVmMTdjOWY2OWM1IiwidGFnIjoiIn0%3D; app_session=eyJpdiI6IkhORGRvRC9CQW5nWDZCOXl3LzNUb1E9PSIsInZhbHVlIjoiZW9CZHQ2R09ZcHRjc3VLaVZEUDE0cTlJSzdMVnlGa3JCQ0VycXNxM08yaEljVlBBbXFxS2lOYUdzaTdEK2R1OGZoc2xCenFId0FCMnp2bmNFck9kRHdNOTRGdGRvL1FkaFUxcmJHekx5Wm14KzFhU3RiWTd3QjBuNm1KWS8wZEUiLCJtYWMiOiJmNjhhZDQ3NDgwODE3M2E5MTA3NGIwM2E0OWFkZmRlZTA0YmNmMTNkMDZkZjQyZjk1ZjBhZTIxYjJiN2FmNDZkIiwidGFnIjoiIn0%3D

In the request 2 (create item) I do the following in the pre-request tab:

pm.request.headers.add({
  key: "X-XSRF-TOKEN",
  value: pm.environment.get("X-XSRF-TOKEN")
});
pm.request.headers.add({
  key: "Cookie",
  value: pm.environment.get("cookies")
});

Note: Also tried inserting the varaibles directly in headers ex: Cookie: {{cookies}} but with the same result.

So, if I run this from Postman, this second request respond 200 and the item is created (expected response).
When running it from Newman I get 401.

Newman command i’m using:

newman run "Collection.postman_collection.json" -e "Develop.postman_environment.json" -r htmlextra,cli,json --reporter-htmlextra-export testResults/htmlreport.html --reporter-json-export verbose-report.json > testResults/output-log.log --verbose

Note: Also tried running the same with Postman CLI instead newman and got the same result.

Things I’ve tried without success:

Check that collection is correctly exported and the same for the environment file. I also tried collection v2 and v2.1.
Inspect the reports carefully to see if the headers are being sent correctly. All seems to be ok. I also compared it to request inspection from the browser navigating the app UI and didn’t notice any difference.
Obtain values from Postman (cookies and token), hardcode it to request 2, export, and run with Newman -> it works. 200 obtained.
Vice versa: Obtained values from Newman run, copy and hardcode it to postman -> It doesn’t work. 401 reproduced.
I’ve checked carefully the values for the cookies and token, spaces and so on, and all seems to be ok.

Has anyone had a problem like this? any other ideas to try?
Thanks in advance

rashusm · March 27, 2023, 1:19pm

Hi Did you got resolution for this issue ? I am having same issue to pass cookies using newman .Please help

research-candidate-3 · March 27, 2023, 1:52pm

No I just quit on this for the moment. If you find something useful, please update it here!

material-geoscient30 · September 24, 2023, 9:43am

I ran into the same problem. I solved it by doing two things.

Execute with the same collection file. Do not use --folder to run individual files at this time.
example:
OK newman run “collections/login-collection.json”
NG
newman run “collections/collection.json” --folder “login”
newman run “collections/collection.json” --folder “get item”
Reconsidered the issue where cookies could not be obtained due to hostname restrictions due to different request hosts between postman and newman.
My request was as follows.

postman: http://localhost:8080/login
newman: http://api-server:8080/login
And source of setCookie: cookie.Domain = os.Getenv("localhost")
I commented this out. // cookie.Domain = os.Getenv("localhost")