23
Views
1
Comments
Solved
Session_GetMobileAppLoginInfo returns "Invalid CSRF request" on reactive web
Application Type
Reactive
Platform Version
11.23.0 (Build 40636)

This is a continuation of the discussion that was taking place in this thread;
https://www.outsystems.com/forums/discussion/61503/getting-user-id-by-sessionid-from-rest-api/#Post300724

Use Case
The OS server is the authority on who the users are and what they can access. Our javascript client libraries are able to make calls to REST endpoints of your choice to supply signed authentication and authorization tokens for the bearing user.

When a reactive web client calls the javascript client library signin method to establish a connection, the client library requests an authentication token from the OS server. 

Problem

The Session_GetWebAppLoginInfo action works as expected when the javascript client library is used on the traditional web.

The Session_GetMobileAppLoginInfo does not work as expected and returns the "Invalid CSRF request" exception.

I have not tested this on a mobile application yet, as the goal was to use the reactive plugin on reactive web and mobile.

Implementation

Use the Session_GetWebAppLoginInfo  and Session_GetMobileAppLoginInfo in the REST (Expose) OnAuthentication action to validate the platform user session and login.

Failover logic first checks the Session_GetWebAppLoginInfo, and if nothing is returned, tries the Session_GetMobileAppLoginInfo.


Thanks 


Solution

To resolve the issue, I have set the X-Csrftoken using a javascript function on the reactive web client and the Session_GetMobileAppLoginInfo action returns as expected.

function sessionCRFToken () {
    const nr2Users = decodeURIComponent(('; '+document.cookie).split(`; nr2Users=`).pop().split(';')[0]);
    const crf = ('; '+ nr2Users).split(`; crf=`).pop().split(';')[0];
    return crf;
}

Is it possible that there is a bug in the Session_GetMobileAppLoginInfo action's behaviour?


Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.