DSpace 7 REST API

[Kosmas Kaifel]

Hello,

how can create / receive a valid CSRF token from the REST API
for POST connection with the REST API.

Best Regards
Kosmas

--
+---------------------------------------------------------------+
Universität Ulm
Kommunikations- und Informationszentrum (kiz)
Abt. Informationsmedien
Albert-Einstein-Allee 37
89081 Ulm
Tel. 0731/50-15495
EMail: kosmas...@uni-ulm.de
+----------------------------------------------------------------+

[Tim Donohue]

Hi Kosmas,

See the REST Contract section on CSRF tokens: https://github.com/DSpace/RestContract/blob/main/csrf-tokens.md

Simply put, the CSRF Tokens will be sent to you in a prior GET request (and they may be updated at any time, so your client code needs to watch for them).  The CSRF token will be sent to the client in a DSPACE-XSRF-TOKEN header.

Tim

---

From: dspac...@googlegroups.com <dspac...@googlegroups.com> on behalf of Kosmas Kaifel <kosmas...@uni-ulm.de>
Sent: Wednesday, August 18, 2021 5:49 AM
To: DSpace Technical Support <dspac...@googlegroups.com>
Subject: [dspace-tech] DSpace 7 REST API

 

--
All messages to this mailing list should adhere to the Code of Conduct: https://www.lyrasis.org/about/Pages/Code-of-Conduct.aspx
---
You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dspace-tech...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/619158f2-f21a-4978-2cb1-21a3656c0b11%40uni-ulm.de.

[Kosmas Kaifel]

Hi Tim

thank you very match for the answer.

I known thispage about the REST Contract, but  I do not understand this how can I create a
DSPACE-XSRF-COOKIE  befor I send the POST command.

Can you give me perhaps an example with the curl command for creation a DSPACE-XSRF-COOKIE

curl http://dspace7-test.rz.uni-ulm.de:8080/server/api --data "user=xx...@uni-ulm.de&password=xxx" ..........?

Best Regards
Kosmas

[Tim Donohue]

Hi Kosmas,

You don't need to send any special request to generate the CSRF token...it's generated automatically on your first GET request and sent to you in the response.  The request you send doesn't matter.  What matters is that you need to watch for an HTTP Header named "DSPACE-XSRF-TOKEN" sent back to you in the response.   When that Header is specified in any response, that is your new CSRF token.

The value of this "DSPACE-XSRF-TOKEN" header is your assigned CSRF token.  That's the token you will need to send back in your next POST/PUT/PATCH/DELETE request. You must send it back in a different HTTP Header, the "X-XSRF-TOKEN" header.

Your code MUST watch for a "DSPACE-XSRF-TOKEN" in every response you receive from the DSpace REST API.  When that header is sent to you, that means your CSRF token has changed.  Your token may change for a variety of reasons (e.g. when you login/logout, when you send an invalid request, or if you appear to be coming from a different client or have been idle for some time).

(The DSPACE-XSRF-COOKIE does not need to be used at all by your client. It's generated by the REST API and it's an HttpOnly cookie, meaning it cannot be read by Javascript.  That cookie is only used by the REST API to validate your token...i.e. the token you send in X-XSRF-TOKEN to the REST API must match the token in that Cookie.)

Tim

---

From: Kosmas Kaifel <kosmas...@uni-ulm.de>
Sent: Thursday, August 19, 2021 5:33 AM
To: Tim Donohue <tim.d...@lyrasis.org>; DSpace Technical Support <dspac...@googlegroups.com>
Subject: Re: [dspace-tech] DSpace 7 REST API

 

[Kosmas Kaifel]

Hi Tim,

thank you for answer.
Now I understand how I receive the cookie.

Best Regards
Kosmas