Hello:
How can we generate csrf_token from outside frappe when doing a POST API call? I know there are multiple threads for it but none of it describes how to generate the token if you are not inside frappe.
Thanks.
1 Like
You can’t get the CSRF token outside of the frappe. Please check this link for more insight into the CSRF token What is a CSRF token? What is its importance and how does it work? - Stack Overflow
Thanks @ManasSolanki for the reply. So what is the way for some other system to talk to ERPNext if not REST API. Or how can we generate CSRF token dynamically for somebody who want to push data to ERPNext
@MaysaaSafadi doesn’t the ideal way to connect outside system is REST API? Why can’t we send a CSRF_Token as part of login response which can be used later for other calls?
I achieved this by sending CSRF_token as part of login response.
I am looking at how to do this as well from another program. How did you send the token as part of the login? I kinda want to just take the token out of frappe
could you show us how to do it? Thanks
To test whether it works, I have added one line in frappe/auth.py:
Line No. 163
frappe.response["csrf_token"] = frappe.generate_hash()
It will return csrf_token as part of login response.
2 Likes
And then you use it in the Postman to further do calls to REST?
Thanks
but OAuth2 already generate a token , that you can using it with all requests
1 Like
Now you can either use POSTMAN or from any technology.
Can you explain your approach plz?
You mean part of the body?
The solution proposed by @ajeenckya still works in 2022 with Version-14 but you need to make changes like this:
path: apps > frappe > frappe >auth.py
- Find the function called set_user_info in auth.py
- at the very end of this function add the following line:
frappe.local.cookie_manager.set_cookie(“csrf_token”, frappe.generate_hash())
and that is all. restart your bench.
Now if you are confused that how you will receive and use this token then just leave it. Cookies will be stored automatically in your browser and on the next API call, they will be sent and work for you.
One last important thing
I don’t recommend making changes to the auth.py file directly. Instead, you should override this function in your custom app but I didn’t have time to check that so can’t help with that.
Hi
A csrf token should never be set as a cookie. This way the browser will send it automatically to the server, which makes it useless against the attack it is supposed to mitigate.
This is a secret token and the best way to send it to the server is using a custom header or inside the payload. From server to client, it can be included in the payload of the login endpoint response.
hi, can you guide me how to write a function and to give path in hooks.py. please
how can do it from auth_hook using hooks.py
Copying text from the documentation link shared before Hooks
app/hooks.py
auth_hooks = ["app.overrides.validate_custom_jwt"]
The method will be called during request authentication.
app/overrides.py
def validate_custom_jwt():
# validate jwt from header, verify signature, set user from jwt.
pass
Note: You will get request in frappe.request in your python code.