cancel
Showing results for 
Search instead for 
Did you mean: 

Integrating Python and River - CSRF problems

Former Member

Hi,

So I'm trying to integrate Python into River to do some testing. The only thing that makes it a bit tricky is that we have to handle XSRF/CSRF within Python and so I use the requests framework to make this easier for me.

I successfully get the X-CSRF-TOKEN and save it into local variable token. The guide then says that you pass it back in the headers. I tried it as a parameter too, and either mechanism works using Postman in Chrome.

Request execution failed due to missing or invalid XSRF token

Presumably I'm doing something wrong!

John

#! /usr/bin/python

import requests

import json

# First, get the X-CSRF-TOKEN

csrfurl='http://localhost:8000/sap/hana/rdl/odata/v1/project/subproject'

params= { 'X-CSRF-TOKEN': 'Fetch' }

auth= 'User','Password'

headers = {'Connection': 'keep-alive'}

r=requests.get(csrfurl,params=params, auth=auth, headers=headers)

params = { 'X-CSRF-TOKEN': r.headers['x-csrf-token'] }

token = r.headers['x-csrf-token']

print token

url='http://localhost:8000/sap/hana/rdl/odata/v1/project/subproject/entitu'

payload='{"customerId": 1, "firstName": "John", "lastName": "Appleby"}'

headers= {'Content-type': 'application/json;charset=utf-8', 'X-CSRF-TOKEN': token, 'Referer': csrfurl, 'Connection': 'keep-alive'}

r=requests.post(url, data=json.dumps(payload), headers=headers, auth=auth, params=params)

print headers

print r.url

print r.headers

print r.text

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

Found it.. first, I needed to use requests.Session(). It looks like this persists cookies, which was upsetting HANA.

There was also a bug in my payload, I was doing json.dumps, which wasn't necessary.


John

#! /usr/bin/python

import requests

import json

s = requests.Session()

s.headers.update({'Connection': 'keep-alive'})

params= { 'X-CSRF-TOKEN': 'Fetch' }

auth= 'User','Password'

r=s.get('http://localhost:8000/sap/hana/rdl/odata/v1/rca_demo/rca_demo',auth=auth,params=params)

token = r.headers['x-csrf-token']

print token

url='http://localhost:8005/sap/hana/rdl/odata/v1/project/subproject/entity'

payload='{ "customerId": 15, "firstName": "John", "lastName": "Appleby"}'

headers= {'Content-type': 'application/json;charset=utf-8', 'X-CSRF-TOKEN': token}

r2=s.post(url, data=payload, headers=headers, auth=auth)

print headers

print r2.url

print r2.headers

print r2.text

Former Member
0 Kudos

Thanks, thats great.  I've only played with sap-river.com so far,  but I'm wondering if .csv/.hdbtid/.hdbtim files in the same package, could be used instead of python for loading static data, assuming River is installed on your local HANA box.   Do you think that would be a possible alternative?

Former Member
0 Kudos

Yes absolutely. I like to load the CSV files using python though it is much slower.

I like it because it ensures referential integrity, and you can nest entities inside each other to create complex loads.

John

PhilipMugglestone
Product and Topic Expert
Product and Topic Expert
0 Kudos

Per the discussion on your Top 10 River blog, in the Academy videos as far as I know I always used HTTP headers for x-csrf-token (both for the initial fetch and also when passing it back in the subsequent POST etc). This is in line with the doc. That said, I was testing with Python using your code above as the basis - and indeed the initial fetch works as an HTTP parameter. However I would recommend doing it as a HTTP header like this:

headers= { 'X-CSRF-TOKEN': 'Fetch' }

auth= 'User','Password'

r=s.get('http://localhost:8000/sap/hana/rdl/odata/v1/rca_demo/rca_demo',auth=auth,headers=headers')

token = r.headers['x-csrf-token']

print token

Anyway, great idea to use Python and there's an Academy video explaining how to do it in the works...

jmsrpp
Advisor
Advisor
0 Kudos

Thanks Philip for recording the 3 River/Python videos on HANA Academy.  They are a great elaboration of the use case John shared above. 

Furthermore, great sentiment on testing the efficacy of the River application instead of just loading CSV or using SQL to insert data into the underlying HANA tables.  That statement definitely resonated with me and I'm setting up the Python environment now!

Answers (0)