1

I have a flask API, with jwt authentication, on a httponly cookie. I installed interceptor, added the domain(with HTTPS) to the list, and enabled the requests and cookies interception. but still, how do I make postman send the cookie I got from logging in to the server? usually, with a simple front-end, it just happens, so I didn't think about it. all the methods I found in postman documentation, including specifying the value with the token, but I don't have it, since I can't access the httponly cookie. (or can I?)

must I access the cookies? can it be done automatically like simply sending requests from the front-end? any guidance will be appreciated

Benaya Trabelsi
  • 351
  • 3
  • 11

1 Answers1

3

After a full evening of research, I did two things to make it work - in the login request, I added a "test" script(a post-request script in postman), with the following code:

const csrf_token = pm.response.headers.get("set-cookie");
const edited_token = csrf_token.split(/[;=]/)[1];
pm.environment.set("X-CSRF-TOKEN", edited_token);
console.log(csrf_token.split(/[;=]/)[1]);

First, I got the cookie from the response, and then used a regex to separate only the token value, and set it as an environment variable. this way, I could add it as a header later, for accessing protected URLs. The second step was to add a pre-scrit in any request with a protected URL - in the pre-request tab, I added the following: pm.request.headers.add({ key: 'X-CSRF-TOKEN', value: pm.environment.get("X-CSRF-TOKEN") }); Which only added the same token I took earlier from the "X-CSRF-TOKEN" environment variable and set it to the header. Mission accomplished :) I hope it will help others who bumped into this

Benaya Trabelsi
  • 351
  • 3
  • 11