cancel
Showing results for 
Search instead for 
Did you mean: 

SAP CAP - CSRF token not working with API Provider API on API Management

roc_ag
Explorer
1,064

Dear Community,

When publishing an API on API Mangement with Resources (OpenAPI/Swagger) from an OnPrem system, it won't let you expose HEAD Resource.

Why this is a problem?: This is a problem because SAP CDS library if you use "await cds.connect.to("API")" and your API/Connection is in the package.json like so:

"cds": {
    "requires": {
        "API": {
            "kind": "odata",
            "credentials": {
                "destination": "DEST_API",
            }
            "csrf": true
        }
    }
}

This will do always a HEAD request to obtain the token then it will always fail and changing OpenAPI decalration on API Management does not make sence because can be refreshed anytime, also was trying to fork @sap/cds to do a Pull Request on adding the propertie like ("crsfMethod": "GET") but there is no public repo for CAP libraries.

Anyone can help on this?

Already implemented Policies on API Management that handles the CRSF token but I do not think is a good way for our case.

Thanks in advance Community,

Roc

Willem_Pardaens
Product and Topic Expert
Product and Topic Expert
0 Kudos

Would you be able to add the HEAD option in the source system, so it is part of the OpenAPI spec? Is it a NW Gateway system?

If not, you could look at the SAP Cloud SDK as the framework underneath CAP, which has an option to customize the csrf fetching method, see https://sap.github.io/cloud-sdk/docs/js/features/odata/v4-client#custom-csrf-token-handling

roc_ag
Explorer
0 Kudos

Hello willem.pardaens,

So problem here that this APIs are standard so $metadata is already defined and yes it is an S/4 GW.

Also yes underneath there is SAP Cloud SDK and also yes we could add the retrival of the token and add it as custom header. But then I use axios and customize everything, the point of that was to add the possibility of changing the method of the request to API Management.

I belive that problem is on not allowing HEAD easly on API Management but still it is wierd that such a feature is not pre thought when CAP and API Management arw well stablished technologies.

I would say this is not a question is to rise awarenes.

Thanks!

Willem_Pardaens
Product and Topic Expert
Product and Topic Expert

Hi Roc, with the SAP Cloud SDK it's rather straight-forward to execute a call to a Destination while also being able to set the verb for the csrf call. Nonetheless, indeed, this is a configuration I don't see in the CAP layer. I will try and raise a feature request for this, as your scenario makes certainly sense.

View Entire Topic
Arley
Product and Topic Expert
Product and Topic Expert

Hello Roc,

We have introduced a new feature for remote services to address more advanced scenarios related to CSRF-token handling. We have provided an API allowing you to customize the HTTP method (the default is head) to fetch the CSRF token. The new API will be available in the upcoming release of CAP.

You can utilize the following parameters method and url in the configuration of your remote services:

"cds": {
    "requires": {
        "API_BUSINESS_PARTNER": {
            "kind": "odata",
            "model": "srv/external/API_BUSINESS_PARTNER",
            "csrf": {
              "method": "get",
              "url": "..."
            }
        }
    }
}


Here's a breakdown of the customization options:

- method: Specifies the HTTP method for fetching the CSRF token. The default is set to head.
- url: Defines the URL for fetching the CSRF token. The default setting is the resource path without parameters.


For more detailed information, please consult the pull request documentation on GitHub at the following link:

feat(remote): advanced configurable CSRF token fetching

Thanks, and kind regards

roc_ag
Explorer

Hello Arley,

Love to listen that you have implemented it, will be expecting this release.

You guys rock!!