Hi Kosmas, You don't need to send any special request to generate the CSRF token...it's generated automatically on your first GET request and sent to you in the response. The request you send doesn't matter. What matters is that you need to watch for an HTTP Header named "DSPACE-XSRF-TOKEN" sent back to you in the response. When that Header is specified in any response, that is your new CSRF token.
The value of this "DSPACE-XSRF-TOKEN" header is your assigned CSRF token. That's the token you will need to send back in your next POST/PUT/PATCH/DELETE request. You must send it back in a different HTTP Header, the "X-XSRF-TOKEN" header. Your code MUST watch for a "DSPACE-XSRF-TOKEN" in every response you receive from the DSpace REST API. When that header is sent to you, that means your CSRF token has changed. Your token may change for a variety of reasons (e.g. when you login/logout, when you send an invalid request, or if you appear to be coming from a different client or have been idle for some time). (The DSPACE-XSRF-COOKIE does not need to be used at all by your client. It's generated by the REST API and it's an HttpOnly cookie, meaning it cannot be read by Javascript. That cookie is only used by the REST API to validate your token...i.e. the token you send in X-XSRF-TOKEN to the REST API must match the token in that Cookie.) Tim ________________________________ From: Kosmas Kaifel <[email protected]> Sent: Thursday, August 19, 2021 5:33 AM To: Tim Donohue <[email protected]>; DSpace Technical Support <[email protected]> Subject: Re: [dspace-tech] DSpace 7 REST API Hi Tim thank you very match for the answer. I known thispage about the REST Contract, but I do not understand this how can I create a DSPACE-XSRF-COOKIE befor I send the POST command. Can you give me perhaps an example with the curl command for creation a DSPACE-XSRF-COOKIE curl http://dspace7-test.rz.uni-ulm.de:8080/server/api --data "[email protected]&password=xxx"<mailto:[email protected]&password=xxx> ..........? Best Regards Kosmas Am 18.08.2021 um 17:06 schrieb Tim Donohue: Hi Kosmas, See the REST Contract section on CSRF tokens: https://github.com/DSpace/RestContract/blob/main/csrf-tokens.md Simply put, the CSRF Tokens will be sent to you in a prior GET request (and they may be updated at any time, so your client code needs to watch for them). The CSRF token will be sent to the client in a DSPACE-XSRF-TOKEN header. Tim ________________________________ From: [email protected]<mailto:[email protected]> <[email protected]><mailto:[email protected]> on behalf of Kosmas Kaifel <[email protected]><mailto:[email protected]> Sent: Wednesday, August 18, 2021 5:49 AM To: DSpace Technical Support <[email protected]><mailto:[email protected]> Subject: [dspace-tech] DSpace 7 REST API Hello, how can create / receive a valid CSRF token from the REST API for POST connection with the REST API. Best Regards Kosmas -- +---------------------------------------------------------------+ Universität Ulm Kommunikations- und Informationszentrum (kiz) Abt. Informationsmedien Albert-Einstein-Allee 37 89081 Ulm Tel. 0731/50-15495 EMail: [email protected]<mailto:[email protected]> +----------------------------------------------------------------+ -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/619158f2-f21a-4978-2cb1-21a3656c0b11%40uni-ulm.de. -- +---------------------------------------------------------------+ Universität Ulm Kommunikations- und Informationszentrum (kiz) Abt. Informationsmedien Albert-Einstein-Allee 37 89081 Ulm Tel. 0731/50-15495 EMail: [email protected]<mailto:[email protected]> +----------------------------------------------------------------+ -- All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/DM5PR2201MB114845A8B0705EE13051B12BEDC09%40DM5PR2201MB1148.namprd22.prod.outlook.com.
