Issues with antiforgery token

seuadr · February 27, 2024, 5:36pm

Hi,
i’m working on testing some rest functionality for a software called desk alerts.

They require an antiforgery token, which i am able to GET, and i’m trying to write the response to a variable that i can then pass in a following POST action, but it isn’t working quite the way i’d hoped and i’m really new and don’t understand where i’ve gone awry.

here is a link to my public workspace:
Link!

i’m using a variable for login information and a required X-XSRF-TOKEN header so i’ve set those variables in the collection as:
X-XSREF-TOKEN-VAR
salted-password
DeskAlertsURL
username

everything except X-XSREF-TOKEN-VAR are static values.

My first GET is using **{{DeskAlertsURL}}api/xsrf/get and i get a 200 response that looks like:

Response Headers
Cache-Control: no-cache, no-store
Pragma: no-cache
Transfer-Encoding: chunked
Set-Cookie: XSRF-TOKEN= ***"redacted token"*** g; path=/DeskAlerts11; secure; samesite=strict
X-XSS-Protection: 0
X-Frame-Options: sameorigin
X-Content-Type-Options: nosniff
Referrer-Policy: no-referrer
X-Robots-Tag: noindex
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Embedder-Policy: credentialless
X-Permitted-Cross-Domain-Policies: none
Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=*, battery=(), camera=(self), microphone=(self), cross-origin-isolated=(self), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(self), execution-while-out-of-viewport=(self), fullscreen=(self), geolocation=(), gyroscope=(), keyboard-map=(self), magnetometer=(), midi=(), navigation-override=(), payment=(), picture-in-picture=*, publickey-credentials-get=(self), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(self), clipboard-write=(self), gamepad=(), speaker-selection=(), conversion-measurement=(), focus-without-user-activation=(), idle-detection=(), interest-cohort=(), serial=(), trust-token-redemption=(self), unload=(self), window-placement=()
Content-Security-Policy: default-src 'self'; base-uri 'self'; script-src 'self'; script-src-elem 'self' 'sha256-Tui7QoFlnLXkJCSl1/JvEZdIXTmBttnWNxzJpXomQjg=' 'sha256-RXalPXiNXlX9oQxka8DgO1bOIiBEaCf4ecT1g7JAqPc=' 'sha256-BPFoXbRGZBEj69I/bDwp1dKeBQ2oiny6BS1QlrFnkwM='; script-src-attr 'self'; style-src 'self' 'unsafe-inline'; img-src * 'self' data: blob:; font-src 'self'; connect-src https: wss:; media-src * 'self' data: blob:; object-src 'none'; child-src 'none'; frame-src *; worker-src 'self'; frame-ancestors 'self'; form-action 'self'; upgrade-insecure-requests;  block-all-mixed-content; manifest-src 'self'; report-uri https://dadebug.report-uri.com/r/d/csp/enforce
Strict-Transport-Security: max-age=7776000
X-POWERED-BY: nonsense
X-ASPNET-VERSION: nonsense
Date: Tue, 27 Feb 2024 17:07:17 GMT
X-CDN: Imperva
X-Iinfo: 7-29031695-29031698 SNNN RT(1709053618264 19207) q(0 0 0 -1) r(0 0) U24

(no body just the cookie - i assume that is expected behavior?)

the next request in the collection is a log in POST action, that requires that X-XSREF-TOKEN

i’m using a pre-request script to get the token from the collection variable:
pm.collectionVariables.get(“X-XSRF-TOKEN-VAR”);

with a POST {{DeskAlertsURL}}api/account/login including X-XSREF-TOKEN in the header (it’s actually the only non auto generated header)

But i get a response i don’t understand - 415- unsupported media type:

Request Headers
X-XSRF-TOKEN: ***redacted***
User-Agent: PostmanRuntime/7.36.3
Accept: */*
Postman-Token: 8ce83b80-11c6-4a9e-a8f1-aed292184f30
Host: deskalerts.ipf.msu.edu
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: .AspNetCore.Antiforgery.awpUR7lE5Fk=***redacted***; incap_ses_1426_3027157=vqJmboAP/ioidBMZSCzKE0UZ3mUAAAAATyhm17e1660t7xKdQQ6RVQ==; visid_incap_3027157=Oc6p79TWSEq0G3MkL1ozQ3fJ1GUAAAAAQUIPAAAAAAD4/rK7u36bsSuoFH2iE0e+
Content-Length: 0
Request Body
Response Headers
Transfer-Encoding: chunked
Content-Type: application/json; charset=utf-8
X-XSS-Protection: 0
X-Frame-Options: sameorigin
X-Content-Type-Options: nosniff
Referrer-Policy: no-referrer
X-Robots-Tag: noindex
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Embedder-Policy: credentialless
X-Permitted-Cross-Domain-Policies: none
Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=*, battery=(), camera=(self), microphone=(self), cross-origin-isolated=(self), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(self), execution-while-out-of-viewport=(self), fullscreen=(self), geolocation=(), gyroscope=(), keyboard-map=(self), magnetometer=(), midi=(), navigation-override=(), payment=(), picture-in-picture=*, publickey-credentials-get=(self), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(self), clipboard-write=(self), gamepad=(), speaker-selection=(), conversion-measurement=(), focus-without-user-activation=(), idle-detection=(), interest-cohort=(), serial=(), trust-token-redemption=(self), unload=(self), window-placement=()
Content-Security-Policy: default-src 'self'; base-uri 'self'; script-src 'self'; script-src-elem 'self' 'sha256-Tui7QoFlnLXkJCSl1/JvEZdIXTmBttnWNxzJpXomQjg=' 'sha256-RXalPXiNXlX9oQxka8DgO1bOIiBEaCf4ecT1g7JAqPc=' 'sha256-BPFoXbRGZBEj69I/bDwp1dKeBQ2oiny6BS1QlrFnkwM='; script-src-attr 'self'; style-src 'self' 'unsafe-inline'; img-src * 'self' data: blob:; font-src 'self'; connect-src https: wss:; media-src * 'self' data: blob:; object-src 'none'; child-src 'none'; frame-src *; worker-src 'self'; frame-ancestors 'self'; form-action 'self'; upgrade-insecure-requests;  block-all-mixed-content; manifest-src 'self'; report-uri https://dadebug.report-uri.com/r/d/csp/enforce
Strict-Transport-Security: max-age=7776000
X-POWERED-BY: nonsense
X-ASPNET-VERSION: nonsense
Date: Tue, 27 Feb 2024 17:20:03 GMT
X-CDN: Imperva
Content-Encoding: gzip
X-Iinfo: 14-73402224-73417477 SNYy RT(1709054277262 125909) q(0 0 0 -1) r(0 0) U24
Response Body
{"type":"https://tools.ietf.org/html/rfc7231#section-6.5.13","title":"Unsupported Media Type","status":415,"traceId":"00-60f95dddc033ac4c3cced8c354eadfa8-552c86c01b566e2c-00"}

Now, i’ve checked that X-XSRF-TOKEN in the POST matches the cookie content from the previous GET which i have expertly redacted using the snip tool
“GET” Cookie:

“POST” X-XSRF-TOKEN:

i have, from searching, come to the general conclusion that this probably has to do with the content type - but, the request is set to accept /, and the response is application/json; charset=utf-8 which, to my uneducated eye doesn’t seem unusual?
i’ve tried changing the content type, but, i really don’t know what i’m looking at.

any thoughts would be appreciated!

gbadebo-bello · February 27, 2024, 10:32pm

Hi @seuadr. Welcome to the Postman Community!

A “415- unsupported media type” is typically not an error you get for providing an invalid CSRF token.

I see that you did not specify a request body in the public workspace you shared, and hence the server might be complaining about that since technically, the “content-type” is null.

Since this is a POST request, please check the documentation again to be certain you’re including all required parameters(including a request body). Additionally, since this is a login request, there has to be some way of passing the login credentials as CSRF tokens are not authentication credentials or mechanisms.

seuadr · February 28, 2024, 12:45pm

Gbadebo,
thanks for the response!
that makes a lot of sense - because you are right, there is no body! This is actually json that their support team sent over to get me started, so i assumed that it would be complete… shame on me.

i’m looking at their swagger docs now, and you are absolutely right that it is upset there is no body. i added the required fields and it works fine now.

I appreciate your time and effort - i think i kind of had a little tunnel vision and got stuck on the token instead of trying to find the real issue!

Regards,

Jared

gbadebo-bello · February 28, 2024, 1:12pm

I’m glad to hear you’ve figured it out. Cheers!

system · March 2, 2024, 1:13pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Authentication in Newman using XSRF-TOKEN and Cookies: I'm obtaining 200 in Postman and 401 in Newman Ask the Experts and Postman Tips newman-project , authentication	3	2432	September 24, 2023
Oauth2 Token Re-generates for each request - How to stop this? Ask the Experts and Postman Tips tests , variables , collections , authentication , postman	0	478	March 25, 2022
Token resource value not being synced to current value when using variable Ask the Experts and Postman Tips variables , collections	0	747	August 27, 2019
Variable with bearer token does not work Ask the Experts and Postman Tips variables , collections	3	933	May 30, 2023
Kronos WFR reports New to APIs/Postman	6	1840	March 2, 2021

Issues with antiforgery token

Related topics