Hi,
i’m working on testing some rest functionality for a software called desk alerts.
They require an antiforgery token, which i am able to GET, and i’m trying to write the response to a variable that i can then pass in a following POST action, but it isn’t working quite the way i’d hoped and i’m really new and don’t understand where i’ve gone awry.
here is a link to my public workspace:
Link!
i’m using a variable for login information and a required X-XSRF-TOKEN header so i’ve set those variables in the collection as:
X-XSREF-TOKEN-VAR
salted-password
DeskAlertsURL
username
everything except X-XSREF-TOKEN-VAR are static values.
My first GET is using **{{DeskAlertsURL}}api/xsrf/get and i get a 200 response that looks like:
Response Headers
Cache-Control: no-cache, no-store
Pragma: no-cache
Transfer-Encoding: chunked
Set-Cookie: XSRF-TOKEN= ***"redacted token"*** g; path=/DeskAlerts11; secure; samesite=strict
X-XSS-Protection: 0
X-Frame-Options: sameorigin
X-Content-Type-Options: nosniff
Referrer-Policy: no-referrer
X-Robots-Tag: noindex
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Embedder-Policy: credentialless
X-Permitted-Cross-Domain-Policies: none
Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=*, battery=(), camera=(self), microphone=(self), cross-origin-isolated=(self), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(self), execution-while-out-of-viewport=(self), fullscreen=(self), geolocation=(), gyroscope=(), keyboard-map=(self), magnetometer=(), midi=(), navigation-override=(), payment=(), picture-in-picture=*, publickey-credentials-get=(self), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(self), clipboard-write=(self), gamepad=(), speaker-selection=(), conversion-measurement=(), focus-without-user-activation=(), idle-detection=(), interest-cohort=(), serial=(), trust-token-redemption=(self), unload=(self), window-placement=()
Content-Security-Policy: default-src 'self'; base-uri 'self'; script-src 'self'; script-src-elem 'self' 'sha256-Tui7QoFlnLXkJCSl1/JvEZdIXTmBttnWNxzJpXomQjg=' 'sha256-RXalPXiNXlX9oQxka8DgO1bOIiBEaCf4ecT1g7JAqPc=' 'sha256-BPFoXbRGZBEj69I/bDwp1dKeBQ2oiny6BS1QlrFnkwM='; script-src-attr 'self'; style-src 'self' 'unsafe-inline'; img-src * 'self' data: blob:; font-src 'self'; connect-src https: wss:; media-src * 'self' data: blob:; object-src 'none'; child-src 'none'; frame-src *; worker-src 'self'; frame-ancestors 'self'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; manifest-src 'self'; report-uri https://dadebug.report-uri.com/r/d/csp/enforce
Strict-Transport-Security: max-age=7776000
X-POWERED-BY: nonsense
X-ASPNET-VERSION: nonsense
Date: Tue, 27 Feb 2024 17:07:17 GMT
X-CDN: Imperva
X-Iinfo: 7-29031695-29031698 SNNN RT(1709053618264 19207) q(0 0 0 -1) r(0 0) U24
(no body just the cookie - i assume that is expected behavior?)
the next request in the collection is a log in POST action, that requires that X-XSREF-TOKEN
i’m using a pre-request script to get the token from the collection variable:
pm.collectionVariables.get(“X-XSRF-TOKEN-VAR”);
with a POST {{DeskAlertsURL}}api/account/login including X-XSREF-TOKEN in the header (it’s actually the only non auto generated header)
But i get a response i don’t understand - 415- unsupported media type:
Request Headers
X-XSRF-TOKEN: ***redacted***
User-Agent: PostmanRuntime/7.36.3
Accept: */*
Postman-Token: 8ce83b80-11c6-4a9e-a8f1-aed292184f30
Host: deskalerts.ipf.msu.edu
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: .AspNetCore.Antiforgery.awpUR7lE5Fk=***redacted***; incap_ses_1426_3027157=vqJmboAP/ioidBMZSCzKE0UZ3mUAAAAATyhm17e1660t7xKdQQ6RVQ==; visid_incap_3027157=Oc6p79TWSEq0G3MkL1ozQ3fJ1GUAAAAAQUIPAAAAAAD4/rK7u36bsSuoFH2iE0e+
Content-Length: 0
Request Body
Response Headers
Transfer-Encoding: chunked
Content-Type: application/json; charset=utf-8
X-XSS-Protection: 0
X-Frame-Options: sameorigin
X-Content-Type-Options: nosniff
Referrer-Policy: no-referrer
X-Robots-Tag: noindex
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Embedder-Policy: credentialless
X-Permitted-Cross-Domain-Policies: none
Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=*, battery=(), camera=(self), microphone=(self), cross-origin-isolated=(self), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(self), execution-while-out-of-viewport=(self), fullscreen=(self), geolocation=(), gyroscope=(), keyboard-map=(self), magnetometer=(), midi=(), navigation-override=(), payment=(), picture-in-picture=*, publickey-credentials-get=(self), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(self), clipboard-write=(self), gamepad=(), speaker-selection=(), conversion-measurement=(), focus-without-user-activation=(), idle-detection=(), interest-cohort=(), serial=(), trust-token-redemption=(self), unload=(self), window-placement=()
Content-Security-Policy: default-src 'self'; base-uri 'self'; script-src 'self'; script-src-elem 'self' 'sha256-Tui7QoFlnLXkJCSl1/JvEZdIXTmBttnWNxzJpXomQjg=' 'sha256-RXalPXiNXlX9oQxka8DgO1bOIiBEaCf4ecT1g7JAqPc=' 'sha256-BPFoXbRGZBEj69I/bDwp1dKeBQ2oiny6BS1QlrFnkwM='; script-src-attr 'self'; style-src 'self' 'unsafe-inline'; img-src * 'self' data: blob:; font-src 'self'; connect-src https: wss:; media-src * 'self' data: blob:; object-src 'none'; child-src 'none'; frame-src *; worker-src 'self'; frame-ancestors 'self'; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; manifest-src 'self'; report-uri https://dadebug.report-uri.com/r/d/csp/enforce
Strict-Transport-Security: max-age=7776000
X-POWERED-BY: nonsense
X-ASPNET-VERSION: nonsense
Date: Tue, 27 Feb 2024 17:20:03 GMT
X-CDN: Imperva
Content-Encoding: gzip
X-Iinfo: 14-73402224-73417477 SNYy RT(1709054277262 125909) q(0 0 0 -1) r(0 0) U24
Response Body
{"type":"https://tools.ietf.org/html/rfc7231#section-6.5.13","title":"Unsupported Media Type","status":415,"traceId":"00-60f95dddc033ac4c3cced8c354eadfa8-552c86c01b566e2c-00"}
Now, i’ve checked that X-XSRF-TOKEN in the POST matches the cookie content from the previous GET which i have expertly redacted using the snip tool 
“GET” Cookie:
“POST” X-XSRF-TOKEN:
i have, from searching, come to the general conclusion that this probably has to do with the content type - but, the request is set to accept /, and the response is application/json; charset=utf-8 which, to my uneducated eye doesn’t seem unusual?
i’ve tried changing the content type, but, i really don’t know what i’m looking at.
any thoughts would be appreciated!
