Setting CSRF cookie with a pre-request script

[JayRSG]

CSRF protection is now commonplace in web and api routes. Modern API testing utilities provide features that enables handling CSRF cookies and embedding such cookies in the request headers automatically.

One such feature is- pre-request scripts which enables sending an API request to a route, receive cookies from the request, set that to an environment variable and include the cookie data into the request headers as X-XSRF-TOKEN which authorizes the API request made in the same request.

Thunder-Client has the awesome feature of setting environment variables to store important information from different parts of the response and to be used in other requests or stored for convenience. But, CSRF requires the information to be fetched and validated within the same request.

This request receives a xsrf-token in the cookies. which is then set to an environment variable using 'test' feature of thunder-client for further use

The environment variable would be then used in another request header -

But the response says CSRF token mismatch.

This problem is handled by clients like Postman using a pre-request script as mentioned above instead of two different requests.

[rangav]

@JayRSG one question

the header name needs to be send in upper case? X-XSRF-TOKEN

Then you need to enable vscode setting Headers Case Sensitive

[JayRSG]

@rangav I have now enabled the setting Headers Case Sensitive in VS code as you mentioned but with no luck. The X-XSRF-TOKEN header is automatically set by axios and is sent in the same manner as I have checked in the network tab for my application.

The cookie -> xsrf-token is first set by the request made to /sanctum/csrf-cookie and the cookie data is sent in the X-XSRF-TOKEN header to the consecutive requests to the routes protected by sanctum in my laravel backend application.

However, this doesn't work in thunder-client and I receive a csrf token mismatch error with 419 status code.

[rangav]

please remove the content-type header and test it again.

the content-type header is automatically set the extension.

can you also share body tab screenshot and hide any sensitive data parts

[rangav]

Is it possible for me to test those api endpoints, do you have any published version with test account?

[JayRSG]

Well unfortunately the API is in a very beginning stage of development. I have not published it anywhere.

Here is the body part of the login end point . The CSRF request doesn't have any body.

My API endpoints are based on this documentation https://laravel.com/docs/8.x/sanctum#spa-authenticating

[rangav]

looks like you have wrong content-type header in the request.

Can you please remove the content-type header and test it again?

[JayRSG]

I have removed the content type header and tried but it still gives the same error

[rangav]

ok thanks, Dont know what is the reason. and I have not used laravel before.

[rangav]

may be post on stackoverflow, someone with laravel experience can suggest an answer.

[glaucomorais]

Try decoding the value of the cookie from URL to normal string before saving in the environment.

The XSRF-TOKEN ends with "%3D" what it means that is an "=" (equal sign), and that in the X-XSRF-TOKEN cause a mismatch.

[rangav]

Custom Scripting is now implemented and published to marketplace, please update to v2.0.0

See all features released https://github.com/rangav/thunder-client-support/releases/tag/v2.0.0

Please let me know your feedback.