WebClient - dealing with XSRF/CSRF tokens

Question

I'm trying to connect to API with CSRF protection using WebClient. How ExchangeFilterFunction could look like to handle XSRF-TOKEN cookie and include X-XSRF-TOKEN header?

Krzysztof Skrzynecki · Answer 1 · 2019-08-22T14:38:07.673

That's the solution I came up with:

public class CsrfClientExchangeFilterFunction implements ExchangeFilterFunction
{
    @Override
    public Mono<ClientResponse> filter( ClientRequest request, ExchangeFunction next)   {
        return next.exchange( request )
            .flatMap( response -> {
                if( response.statusCode().is4xxClientError() )
                {
                    ResponseCookie csrfCookie = response.cookies().getFirst( "XSRF-TOKEN" );
                    if( csrfCookie != null )
                    {
                        ClientRequest retryRequest = ClientRequest.from( request )
                                .headers( httpHeaders -> httpHeaders.set( "X-XSRF-TOKEN", csrfCookie.getValue() ) )
                                .cookies( cookies -> cookies.add(  "XSRF-TOKEN", csrfCookie.getValue() ) )
                                .build();

                        return next.exchange( retryRequest );
                    }
                }
                return Mono.just( response );
            } );
    }
}

For reference, it doesn't work if ClientRequest.Builder#cookie(String name, String... values) is used instead of ClientRequest.Builder#cookies(Consumer<MultiValueMap<String, String>> cookiesConsumer). I would love to know why though!

Edit:

Different behaviour of ClientRequest.Builder#cookies and ClientRequest.Builder#cookie methods has been reported as an issue for Spring Framework project - you can find it here

Your reported issue is closed as Invalid. You will need to create a sample Spring project for them to debug. — tom_mai78101, Jan 06 '21 at 20:29

WebClient - dealing with XSRF/CSRF tokens

1 Answers1