cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

CSRF Token issues with $batch in Business Application Studio using an On Premise System

pmcfarling
Participant

on ‎07-16-2020 4:41 PM

0 Kudos

I'm porting an application (FIORI Elements v2 List Report) out of WebIDE into BAS. This is using a connection to an on premise gateway server. Every $batch request 403s with a reponse of "CSRF token validation failed"

On the request header, the csrf is there

x-csrf-token: 1zDBk6P2sJotQ96Hhyg7VQ==

on the 403 response header, it is set to "Required"

x-csrf-token: Required

Any ideas?

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (4)

Answers (4)

TobiasQueck
Advisor
Advisor
‎07-17-2020 12:16 AM

Hi Paul,

Thanks for the call and opening the incident so that we can further investigate the CSRF issue in Business Application Studio. As workaround, please use the Fiori tools in VSCode.

Cheers,

Tobias.

Show replies
Show replies
ViktorH
Explorer
‎09-20-2022 11:45 AM
0 Kudos

Hi tobias.queck,

Is this still the workaround to use VSCode instead of BAS?

We have a project, which we try to migrate form WebIDE to BAS, but we get the same 403 error (CSRF Token...).

Do you have an idea how to resolve it?

Thanks,

Viktor

TobiasQueck
Advisor
Advisor
‎09-20-2022 12:07 PM
0 Kudos

Hi Viktor,

The issue was fixed on SAP side, so you shouldn't have the problem anymore. Your issue might be specific to your project or setup. I'd recommend you open an incident, so that the experts can have a look.

Since the csrf issues only happen with POST requests, a temporary workaround would be to set useBatch: false in the model of the manifest.json. You should not deploy your app with this flag but for local development - until the issue is fixed - it should be ok.

Cheers,

Tobias.

Hal64
Explorer
‎05-31-2023 11:24 AM
0 Kudos

Hi tobias.queck,

exactly the same error is occurring now again in BAS.
On every batch POST request we get:


It works with useBatch: false
Any ideas?

jlongie
Advisor
Advisor
‎05-31-2023 12:24 PM
0 Kudos

Can you confirm if the cookie being set contains the name `ARBE`?

Are you seeing this issue on Business Application Studio or deployed to ABAP or Cloud Foundry?

Hal64
Explorer
‎05-31-2023 1:09 PM
0 Kudos

Hi jlongie,

yes I can confirm that the cookie contains 'ARBE' => Set-Cookie:ARBE=fe.....

In the DEV tools I can also see this info:


The error occurs in Business Application Studio when running the app from there. The deployed version in the ABAP backend works. I can also confirm that everything worked correct recently.

jlongie
Advisor
Advisor
‎05-31-2023 1:45 PM
0 Kudos

Can you confirm if there has been any change to your setup/configuration? Were any additional roles or authorizations added recently?

matteoprinetti
Participant
‎09-20-2023 9:17 AM
0 Kudos

Hi SAP,

this occurs again as of 20.09.2023.

Can you please fix this ? We have 20+ developer and not all are keen to switch to visual studio code.

TobiasQueck
Advisor
Advisor
‎07-16-2020 10:13 PM

Hi Paul,

I misunderstood you, I assumed you were migrating and existing project.

Have you tried the same from VSCode by any chance? If it fails there as well, then we know that the problem is in the Fiori elements application generator. If it works there, then we know it is something in AppStudio - maybe with your configurations of destinations.

If you haven't done the setup yet, you can follow https://developers.sap.com/tutorials/fiori-tools-vscode-setup.html.

Cheers,

Tobias.

Show replies
Show replies
TobiasQueck
Advisor
Advisor
‎07-16-2020 9:12 PM

Hi Paul,

Would it be possible to share your project with us so that we can have a look? If you don't want to publicly share it, you could open an incident for component CA-UX-IDE and attach it there. (You can also send me an email if that is easier.)

403s are hard to debug in such a setup because when running the preview in Application Studio your request is routed through an incoming router, then the local server proxy and finally through the outgoing proxy connecting to the destination service.

By looking at your project we could eliminate issues with the local server proxy and find out if information is lost before or after going through it.

Cheers,

Tobias.

Show replies
Show replies
pmcfarling
Participant
‎07-16-2020 10:07 PM
0 Kudos

I'm unsure of how to do that. I just opened up the wizard, pointed it at my Odata service and get the error. I've done nothing else.

It also isn't isolated to my project, others using the same connection are experiencing the exact same thing. (as far as I know we don't have anyone successfully using it that connection)

We already have an incident opened. Was just hoping someone here knew.

When I used the "Preview in Browser" it launches the mock server which I don't want. So I use the run configuration. Click on the test folder then flpSandbox.html sometimes the initial batch to retrieve the list report will work (maybe 50% of the time) but all subsequent $batch requests fail with a "CSRF token validation failed"

guillaume_bouzebra
Participant
‎02-15-2021 5:51 PM
0 Kudos

Hello,

Have you been able to solve your issue through the incident?
We are experiencing the same issue. New Fiori Elements application from template, using the Business Application Studio.
The backend connection is defined via an HTTP destination in CF.
We are able to get correctly the service from the catalogue during the wizard, but at runtime every batch request fail with 403 « CSRF token validation failed ». The first call is a HEAD to fetch the token and this one executed correctly. The token is passed correctly to subsequent batch calls. But in the ABAP backend, the validation fail. The token is present (we can see it in trace and in debug) but it detects that it’s different then the security context.

If we add « useBatch: false » on the model in the manifest.json, the app works correctly.

Show replies
Show replies
pmcfarling
Participant
‎02-15-2021 5:57 PM
0 Kudos

There was an issue with our cloud account. SAP fixed it on their end

Ask a Question