Problems with login (invalid CSRF token)

[Oscar DD]

Hello. I was testing the dpsace 7.1 (just installed) and when I wanted to test the rest apis, I got a 403 error like the one you see on the screen and according to what I was reading it was because I needed to send it my CSRF token. Also check some emails that were sent by this group and it is mentioned that the CSRF token is returned to me in the first GET I make, but I don't know if the GET request must be successful for me to return it, because all the requests I make to me they return a 403 error.

On the other hand, I have some suspicions and doubts that are related to the authentication data. The username and password that I am using is the one that I create from the front when I log in with some generic credentials that appear in the dpsace demo. I did this since the account that creates me as administrator from cmd when installing the back end, does not allow me to log in. However, from the localhost: 4000 (front) using the credentials that I just created and with which I am trying to test the APIs I have no problem logging in manually.

I hope someone can help me.

By the way, I am new to this. Thank you very much in advance.

Bonus fact: I am trying to test the APIs from the postman. Would there be any problem in doing it as well as how to log in from there? Or do you recommend other tools like curl?

[Tim Donohue]

I'd highly recommend first ensuring your login works from the UI or from the REST API's "Hal Browser".  If you cannot login through those, then a login via Postman will always fail. And if you are encountering login issues in the UI or Hal Browser, you should look for underlying errors...see our Troubleshooting guide: https://wiki.lyrasis.org/display/DSPACE/Troubleshoot+an+error#Troubleshootanerror-DSpace7.x(orabove) 

The CSRF token will be sent back to you on the first request you send to the REST API.  It may also *change* whenever a 403 error occurs and a new token will be sent back. See https://github.com/DSpace/RestContract/blob/main/csrf-tokens.md

At the OR2021 conference earlier this year, we held a workshop which included an overview of the REST API. https://tinyurl.com/or2021-dspace7-workshop   In that workshop, we also shared these sample configs for Postman: https://github.com/DSpace-Labs/DSpace7RestTutorial/tree/master/postman-config   My understanding is those should help with CSRF token management in Postman, but I admit I haven't tried them myself.

If you have other questions, let us know on the list.   We also welcome improvements to our documentation, if you find a way to make this work easier which we don't have well documented yet.

Tim