With the valuable help of SAP Support I was able to resolve the issue. It turns out the problem was not the CSRF token itself, but rather that the upload URL of the FileUploader was incomplete.
More precisely, the uploadURL was defined like this in the fragment:
<core:FragmentDefinition
xmlns="sap.m"
xmlns:core="sap.ui.core"
xmlns:u="sap.ui.unified">
x
<u:FileUploader
id="AttaUpload"
name="AttaUpload"
uploadUrl="uploadUrl="/sap/opu/odata/sap/<MY_SERVICE>/<MyEntitySet>('{<ID>}')/<MyDependentEntitySet>"
useMultipart="false"
change="onFileChange"
afterDialogClose="afterDialogClose"
uploadStart="onUploadStart"
uploadComplete="onUploadComplete"
buttonOnly="true"
uploadOnChange="true"
sendXHR="true"
buttonText="{@i18n>new}"
icon="{sap-icon://attachment-photo}"
/>
</core:FragmentDefinition>
At runtime this produced an URL like so:
https://<ourBTPAccount>.launchpad.cfapps.eu10.hana.ondemand.com/sap/opu/odata/sap/<MY_SERVICE>/<MyEn...
And this URL is not correct because it is relative to just the WorkZone launchpad, and not to my app.
When in reality, the correct URL has to contain the Destination Service ID for the destnation of our backend service, something like this:
https://<ourBTPAccount>.launchpad.cfapps.eu10.hana.ondemand.com/alphanumericalGUID.<destinationName>.<destinationName>/~moreRandomNumbers-~sap/opu/odata/sap/<MY_SERVICE>/<MyEntitySet>('<ID>')/<MyDependentEntitySet
I was able to resolve by picking up the current URL at runtime and setting it to the fileUploader uploadUrl, as follows:
In fragment XML:
- changed the uploadUrl in the fragment to just "/<MyEntitySet>('{<ID>}')/<MyDependentEntitySet"
In extension controller:
- declare global variable sServiceURL
- in onAfterRendering lifecycle event: capture the runtime path into sServiceURL
- in fileUploader related event (for me it was onFileChange): concatenate sServiceURL with <MyEntitySet>('<ID>')/<MyDependentEntitySet to get the full URL, and use method setUploadURL of fileUploader class to change to this new URL
Here is the abridged controller code:
sap.ui.define([
"sap/m/MessageBox"
], function (MessageBox) {
"use strict";
var sServiceUrl; // oData service URL
return {
onAfterRendering: function () {
var oView = this.getView();
/* Get service URL at runtime. This will be used in FileUploader event to complete the upload URL
including CF destination service ID. It cannot be fetched there
because at that event there is no Model defined for the view any more */
sServiceUrl = oView.getModel().sServiceUrl;
},
// FileUploader Events:
onFileChange: function (oEvent) {
var oFileUploader = oEvent.getSource();
var oFile = oFileUploader.oFileUpload.files[0];
this._file = oFile;
console.log("File selected:", oFile);
/* Destroy the header before each new uplaod.
Otherwise the parameters are just accumulating on each consecutive call
and the CSRF tokens are not recognised by SAP Server and refused */
oFileUploader.destroyHeaderParameters();
var headerParmaSlug = new sap.ui.unified.FileUploaderParameter();
headerParmaSlug.setName('slug');
headerParmaSlug.setValue(oFileUploader.getValue());
oFileUploader.addHeaderParameter(headerParmaSlug);
/* Get the CSRF token value and add as new header parameter */
this.csrfToken = this.getView().getModel().getSecurityToken();
var headerParmaCSRF = new sap.ui.unified.FileUploaderParameter();
headerParmaCSRF.setName('x-csrf-token');
headerParmaCSRF.setValue(this.csrfToken);
oFileUploader.addHeaderParameter(headerParmaCSRF);
/* Set uploadURL with the full service path. This ensures that
the destination service ID on CP will be correctly inserted into the URL */
var newUploadURL = sServiceUrl + oFileUploader.getUploadUrl();
oFileUploader.setUploadUrl(newUploadURL);
},
}
});
Again thanks to SAP Support for having pointed out the URL issue, as it never even occurred to me to look past the 403 error in the approuter log 🙂
Bluesky
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.