The goal is to use a self-hosted app within MindSphere.
The app itself is for now just the plain standard demo-app from Mendix that you can create immediatelly when you set up an account there. So the app currently has no interaction with any MindSphere APIs at all.
In my case the app is located here within the Mendix-Cloud:
This runs fine and no critical errors show up within the Chrome Debugger.
Now I just want the very same thing to be available using the MindSphere Launchpad as a Selfhosted App. So in the first development step there should be no connectivity to any data stored in MindSphere.
Using Chrome's Debugger I was able to get rid all reported CSP-related errors when configuring the self-hosted-app in the developer cockpit - but the app still does not show up.
Looking at the Chrome Debugger's network tab, I can see that one of the post-request seems not to work (/xas/), see screenshot "failed-postrequest", but the response tab is empty in Chrome (probably because MindSphere redirects and shows a gateway error immediatelly afterwards which looses the debugger information - see screenshot "gatewayerror")
Anyway: using Firefox debugger I was able to get the response of the failed request:
MindSphere Gateway error: Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-XSRF-TOKEN'.
I found a similar thread here in the community (Invalid-CSRF-Token-null-was-found-on-the-request) but as far as I understood this relates only to API authentication there - and as stated before: There are no API calls at all yet.
Do you have any suggestions to get this up and running? Or what else do I need do provide?
Thanks a lot
The '/login.html' issue might be due to the MindSphere Gateway hijacking all '/login*' endpoints, but I'm not sure. I know that you cannot use '/login/**' nor '/api/**' on your app, since it is used internally, but I don't know about individual file mappings.
The '/xas' might be in the same "hijacked" league.
What I would do to debug this is to try to expose the app through a custom path, such as '/myapp' and then put everything below it. Most http frameworks allow you to do such mapping with a single configuration variable. If that works, then you know it is something with the mapping conflicts.
@dlouzan: Thanks for the hint. I have currenty no way of exposing the app differently, because it is just basic Mendix representation (build via the Mendix Webmodeler). But still you might be correct
Also I just received the information, that if applications are running through the MindSphere Gateway and are using other http requests than GET (i. e. POST, PUT, PATCH, DELETE) those request have to implement the X-XSRF session token added to their request headers to prevent cross site request forgeries. This need for such a token also applies if those requests are not related to MindSphere data at all: since the calls are "rerouted" through the gateway, they all are checked for this token to ensure validity of the request.
A general approach to deal with this would be to create some kind of hook in the app, that encapsulates all request to add this token information.
In the end my issue may even relate to both (XRSF and "hijacking") ...
I don't think that anyone would disable authentication mechanisms for my case. I guess they are in place for some reason
Actually I only wanted to share why it currently doesn't work for now.