CSRF Token in API Call from Postman

You can’t get the CSRF token outside of the frappe. Please check this link for more insight into the CSRF token What is a CSRF token? What is its importance and how does it work? - Stack Overflow

Thanks @ManasSolanki for the reply. So what is the way for some other system to talk to ERPNext if not REST API. Or how can we generate CSRF token dynamically for somebody who want to push data to ERPNext

You can use OAuth2
Check this discussion Android Frappe Authenticator

@MaysaaSafadi doesn’t the ideal way to connect outside system is REST API? Why can’t we send a CSRF_Token as part of login response which can be used later for other calls?

I achieved this by sending CSRF_token as part of login response.

I am looking at how to do this as well from another program. How did you send the token as part of the login? I kinda want to just take the token out of frappe

could you show us how to do it? Thanks

To test whether it works, I have added one line in frappe/auth.py:

Line No. 163

frappe.response["csrf_token"] = frappe.generate_hash()

It will return csrf_token as part of login response.


And then you use it in the Postman to further do calls to REST?

but OAuth2 already generate a token , that you can using it with all requests

1 Like

Now you can either use POSTMAN or from any technology.

Can you explain your approach plz?

You mean part of the body?

The solution proposed by @ajeenckya still works in 2022 with Version-14 but you need to make changes like this:

path: apps > frappe > frappe >auth.py

  1. Find the function called set_user_info in auth.py
  2. at the very end of this function add the following line:
    frappe.local.cookie_manager.set_cookie(“csrf_token”, frappe.generate_hash())

and that is all. restart your bench.

Now if you are confused that how you will receive and use this token then just leave it. Cookies will be stored automatically in your browser and on the next API call, they will be sent and work for you.

One last important thing
I don’t recommend making changes to the auth.py file directly. Instead, you should override this function in your custom app but I didn’t have time to check that so can’t help with that.

checkout auth_hooks Hooks

A csrf token should never be set as a cookie. This way the browser will send it automatically to the server, which makes it useless against the attack it is supposed to mitigate.
This is a secret token and the best way to send it to the server is using a custom header or inside the payload. From server to client, it can be included in the payload of the login endpoint response.

hi, can you guide me how to write a function and to give path in hooks.py. please

how can do it from auth_hook using hooks.py

Copying text from the documentation link shared before Hooks


auth_hooks = ["app.overrides.validate_custom_jwt"]

The method will be called during request authentication.


def validate_custom_jwt():
    # validate jwt from header, verify signature, set user from jwt.

Note: You will get request in frappe.request in your python code.

so i have to write only this line in my override function frappe.response["csrf_token"] = frappe.generate_hash()??