cancel
Showing results for 
Search instead for 
Did you mean: 

CSRF token is missing in MDK Client 6.3.4 for iOS

1,607

Hello experts,

I face a confusing issue with SAM MDK 6.3.4 when it runs on iOS. I receive the following error on my first attempt to call the backend: CSRF token is missing. The issue is reproducible with the application Mobile Svc installed from AppStore as well as with custom MDK client build v.6.3.3 and 6.3.3

The service endpoint is OData v.4 and the error is observed only on iOS: on real device and simulator. It works without issue on Android

There are 2 strange things about the error:

  • it seems the error is thrown by the backend, because JSON error object looks like this:

{"error":{"code":"/IWBEP/CM_V4H_RUN/043","message":"CSRF token is missing","@SAP__common.ExceptionCategory":"CSRF_Token_Missing"}

  • I don’t register any call to the backend on NW Gateway client traces

Do you fetch this CSRF token during the application boarding? Do you use a technical user for this? Do you have any explanation or hint what I could miss and how I can further investigate is something is wrong with the application?

Regards,

Dimiter

View Entire Topic
bill_froelich
Product and Topic Expert
Product and Topic Expert
0 Kudos

We will need toe Mobile Services experts to weigh in here as I believe this is managed in the Mobile Services -> Destination Service -> Cloud Connector -> Backend chain.

0 Kudos

Hello Mobile Services experts,

Please help me to locate the reason for this issue and to address the solution. Here you are the details I have so far:

  1. It happens only for iOS. The relevant Android build behaves correctly. I even created a very simple project that initialize the service and perform exact one POST call and the error is thrown, so it is not based on the application business flow or logic
  2. The service that our MDK application consumes is provided by RAP-based OData service ( OData V4 Hub )
  3. I cannot see any trace for a GET call with my user, registered at NW Gateway client, so I am wondering how this CSRF is handled my Mobile Services and could I miss something in the configuration. I could provide more details for the configuration if you need it, but once again: it works on Android

Any comment, hint, proposal will be highly appreciated

Best Regards,

Dimiter

0 Kudos

Hi Dimiter,

I need more information and confirm with you:

  1. Does your backend need CSRF token for any CUD call? Does GET call work fine?
  2. Could you share your mobile application configuration and proxy endpoint configuration for the failed backend?
  3. Could you help to collect the server event logs and network trace while reproducing this issue? Follow the link, https://help.sap.com/docs/SAP_MOBILE_SERVICES/468990a67780424a9e66eb096d4345bb/d461f0ec3f3d456085e47... to fetch the network trace.

Thanks

Wen-nan

0 Kudos

bill.froelich

Hello wen-nan.chu

Thank you for the instructions how to activate network trace. I recorded the network activity, and I don’t see CSRF sent for our POST when application is running on iOS

Answers to your questions:

  1. Yes, the backend requires CSRF token for all CUD operations. Checking the traces, GET call works fine in both Android and iOS scenario
  2. I have exported the application configuration from BTP dashboard and I sent it on your e-mail together with the recorded traces

Comparing the traces for the application that runs with exact same mobile service configuration, I see that CSRF is returned for every GET call for both platforms. However, in traces for iOS session I don’t see the token used in the POST call

I also see that the GET calls are slightly different in both scenarios (the steps are identical and simple: when the application starts, I just try to perform call)

Let me know if you need more dataBest Regards,Dimiter