Cancel
Showing results for 
Search instead for 
Did you mean: 

MSG exception: Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-XSR

Creator
Creator

Hi Team,

 

I am getting below error for POST method from swagger page.

 

MSG exception: Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-XSRF-TOKEN

 

We have REST apis 

All GET apis are working fine from swagger.

However All POST apis are not. Gives above error.

 

Where I am missing ? could you please help me out.

7 REPLIES 7

Re: MSG exception: Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X

Siemens Genius Siemens Genius
Siemens Genius
Dear NileshP, can you please provide the call and its payload (maybe dummy data) so that we can invesigate this? Usually, if you make relative calls from your web application to MDSP APIs you need to send the x-xrsf-token and origin headers in the request. Please see https://developer.mindsphere.io/concepts/concept-authentication/index.html#calling-apis-from-fronten... for the details.

If this does not apply just add some more details and we will look into this.

Re: MSG exception: Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X

Creator
Creator

Hi MichaeIE,

 

I have followed shared link, set the x-xsrf-token, origin and session in both forntend(angular) and backend(strongloop).

 

still I am getting this error :

  [{"logref":"dcadb3d8ce78472c986ca369c89f3b97","message"
MSG exception: Could not verify the provided CSRF token because your session was not found.","stackTrace":""}]

 

I am adding my headers snippet here :

 

method: 'POST',
headers: {
'Content-Type': 'application/x-www-form-urlencoded',
'Content-Length': Buffer.byteLength(data),
'origin':'https://<mytenant>-<appname>-<mytenant>.eu1.mindsphere.io',
"region-session":regsession,
"_csrf": csrftoken,
"x-xsrf-token": xsrftoken,
"session": session,
"session.sig":sessionsig
}

 

All GET apis are working fine from swagger.

However All POST apis are not. Gives above error.

 

Where I am missing ? could you please help me out.

 

Re: MSG exception: Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X

Siemens Genius Siemens Genius
Siemens Genius

@RaviU can you please show me your request URL?

Re: MSG exception: Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X

Creator
Creator

Hi MichaelE,

 

Request URL : https://<tenantname>-hydroapp-<tenantname>.eu1.mindsphere.io/hydro/gateway/getuser/user1

 

Re: MSG exception: Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X

Siemens Genius Siemens Genius
Siemens Genius

@RaviU does it throw the error while calling your own endpoint or while your backend service is calling the MindSphere API? And if you look into the request, can you see that the token and authentication information is sent?

 

And have you registered your endpoint in the Developer Cockpit, e.g. using /** ?

Re: MSG exception: Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X

Creator
Creator

I have registered my endpoint with developer cockpit.

I am getting 504 gateway time on browser. I have checked  service log, I am getting this error

 

 [{"logref":"dcadb3d8ce78472c986ca369c89f3b97","message"
MSG exception: Could not verify the provided CSRF token because your session was not found.","stackTrace":""}]

 

I have attached  response and request headers from browser .

 

Re: MSG exception: Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X

Experimenter
Experimenter

Hi RaviU,

 

is this an error you see in the backend?

If yes, it will not work that way. The backend will not receive a session call from your frontend. The gateway will resolve your session to an authorization header (JWT Token).

 

So if your frontend app is calling the application, the session will not reach the app in the CF environment.

 

The call will be structured like this:

Frontend App (from Browser, with Session) => Gateway (via your URL, transforms Session to Authorization Header) => Your App in CF (no session but authorization header)

 

For example, if you want to get timeseries from your backend app then, please do the request like this

https://gateway.eu1.mindsphere.io/api/iottimeseries... and add the authorization header that the backend received.

Calls via the gateway do not require a session but need the authorization header, so also no csrf problems should occur.

 

If this does not solve your problem, maybe you could create a graphic showing your call structure?