Handling API requests with CSRF token

[samuelvinay91]

Hi ,

@ASaiAnudeep - Thank you so much for your reply.

This below code using axios was working fine for all subsequent calls internally I am using agent

  const cookiejar = new tough.CookieJar();
    agent = await axios.create({
    jar: cookiejar,
    withCredentials: true,
   });

let res = await agent.get("/signin");
    agent.defaults.headers["x-csrf-token"] = res.headers["x-csrf-token"];
    axios.defaults.headers.post["X-CSRF-Token"] = res.headers["x-csrf-token"];
    axios.defaults.headers.post["Content-Type"] =
      "application/x-www-form-urlencoded";
    let k = await agent.post("/signin", {
      email: process.env.MFA_USERNAME,
      password: process.env.MFA_PASSWORD,
      _csrf: res.headers["x-csrf-token"],
    });

same I am trying to do in pactum

  let res = await pactum.spec().get("/signin");
    console.log(res.headers);
    cookie = res.headers["set-cookie"][0];
    // agent.defaults.headers["x-csrf-token"] = res.headers["x-csrf-token"];
    // axios.defaults.headers.post["X-CSRF-Token"] = res.headers["x-csrf-token"];
    // axios.defaults.headers.post["Content-Type"] =
    //   "application/x-www-form-urlencoded";
    let k = await pactum.spec().post("/signin").withJson({
      email: process.env.MFA_USERNAME,
      password: process.env.MFA_PASSWORD,
      _csrf: res.headers["x-csrf-token"],
    }).expectStatus(200).inspect();
    cookie = k.headers["set-cookie"][0];
    console.log(" >> ", k.status, cookie);

Correct me please if I am missing or doing anything wrong

[ASaiAnudeep]

Can you try using withForm in the place of withJson

await spec()
  .post("/signin")
  .withHeaders('X-CSRF-Token',  res.headers["x-csrf-token"])
  .withForm({
    email: process.env.MFA_USERNAME,
    password: process.env.MFA_PASSWORD,
    _csrf: res.headers["x-csrf-token"],
  });

[ASaiAnudeep]

Not sure. Is it a typo in your url? Seems you are missing the forward slash.

What's happening when you are not setting the cookies?

[samuelvinay91]

Its a typo, without cookie i was getting Bad Csrf when I send cookie it is redirecting

[ASaiAnudeep]

Can you use this package - https://www.npmjs.com/package/agent-phin to make a successful request?

[samuelvinay91]

no luck with both scenarios 'agent attached to both' and only for get method

 const keepAliveAgent = new https.Agent({ keepAlive: true });
    // let res = await pactum.spec().get("https://qa.staging.integrator.io/signin");
    // console.log(res.headers);

    const res  = await p({
        url: '/signin',
        method: 'GET',
        agent: keepAliveAgent
    })

    console.log(res);

   let k =  await p({
        url: '/signin',
        method: 'POST',
        data: {
            email: process.env.MFA_USERNAME,
            password: process.env.MFA_PASSWORD,
            _csrf: res.headers["x-csrf-token"],
        },
        agent: keepAliveAgent
    })

    console.log(" >> ", k.statusCode, k);

[samuelvinay91]

@ASaiAnudeep - Thanks for your support.I was able to resolve my issue.

For the interest of the community.I am posting the solution. We can close the conversation

describe("MFA - UI", function () {
  let cookie, csrfToken;

  async function login() {
    const res = await pactum
      .spec()
      .get("/signin");

    const k = await pactum
      .spec()
      .post("/signin?no_redirect=true")
      .withHeaders("x-csrf-token", res.headers["x-csrf-token"])
      .withHeaders("cookie", res.headers["set-cookie"][0])
      .withForm({
        email: process.env.MFA_USERNAME,
        password: process.env.MFA_PASSWORD,
        _csrf: res.headers["x-csrf-token"],
      })
      .expectStatus(200);
    // console.log(" >> ", k.statusCode, k);
    cookie = k.headers["set-cookie"][0];
    csrfToken = k.body["_csrf"];
    console.log(" >> ", cookie, csrfToken);
  }

  before(async () => {
    //Sign in user
    await login();
  });

  after(async () => {
    // const res = await _spec.post("/signout", {
    //   _csrf: csrfToken,
    // });
    //new ResponseAssert(res).statusCodeIs(200);
  });

  describe("GET / ", function () {
    it("should verify mfa setup with mfa enabled without secret", async function () {
      const res = await pactum
        .spec()
        .get("/api/mfa/setup")
        .withHeaders("x-csrf-token", csrfToken)
        .withHeaders("cookie", cookie)
        .inspect();
    });
  });
});