CSRF token with url is working but CSRF with form param is invalid

Question

csrf token with form param is not working.

params = {
                title: screen.getTitle(),
                windowId: screen.getId(),
                filter: filter,
                sort: sort,
                items: items.toString(),
                _csrf : Manh._csrfConfig.value
            }


form.submit({
                url: url,
                params: params
            });

but with url

url = url + '?windowId=' + screen.getId() + '&_csrf=' + Manh._csrfConfig.value;

is working. I dont want to send the csrf token with the url. Please suggest.

<oauth>
<error_description>
Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'.
</error_description>
<error>access_denied</error>
</oauth>

Where's the headers property in your ajax request? are you sure it is sending the request with the header? — Matheus Hatje, Nov 07 '19 at 13:01
But params are url parameters, headers are being set differently try to pass the params object as headers to tge request method. — Jonas Osburg, Nov 07 '19 at 19:02

score 0 · Answer 1 · answered Nov 08 '19 at 09:00

here is working example https://fiddle.sencha.com/#view/editor&fiddle/311c

So basically in your code you would need to add headers to form.submit method

form.submit({
   url: url,
   headers: {
       'X-CSRF-Token': 'Token'    
   },
   params: params //params without token in them
})

CSRF token with url is working but CSRF with form param is invalid

1 Answers1