What is an XSRF token and how do I generate it?

[Joe Simington]

I think I saw some reference to this in the documentation, but I can't seem to find it.  When I do a search of the entire Developers site, I get zero hits.

It must be necessary because when I remove it from my test submit, I get XSRF token failed.

But it accepts a token I copied and pasted from the simulation page... Which I also don't understand.

I am not able to get any documents to print -- with or without the token.

When I use the token the response shows the document is submitted successfully, but the end result is either a blank page on the printer, or a status of "Queued" without change for the document.

[John C. Bland II]

When you successfully authenticate you are returned an XSRF token. Subsequent requests should pass the token to validate the request.

On Jan 19, 2014, at 10:09 PM, Joe Simington <bhw...@gmail.com> wrote:

I think I saw some reference to this in the documentation, but I can't seem to find it.  When I do a search of the entire Developers site, I get zero hits.

--
You received this message because you are subscribed to the Google Groups "Google Cloud Print Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gcp-developer...@googlegroups.com.
Visit this group at http://groups.google.com/group/gcp-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/gcp-developers/13d9e2bb-b977-4e68-a960-0b6a56e28c89%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Joe Simington]

I get no XSRF token when authentication. I need to authenticate using the  

  https://accounts.google.com/o/oauth2/device/code    followed by

https://accounts.google.com/o/oauth2/token

method:

I get:

{

  "device_code" : "xxxxx",

  "user_code" : "xxxxxx",

  "verification_url" : "http://www.google.com/device",

  "expires_in" : 1800,

  "interval" : 5

} 

followed by:

{

  "access_token" : "xxxxx",

  "token_type" : "Bearer",

  "expires_in" : 3600,

  "refresh_token" : "xxxxx"

[John C. Bland II]

access_token

That’s the XSRF. Here is more on XSRF: http://en.wikipedia.org/wiki/Cross-site_request_forgery.

To view this discussion on the web visit https://groups.google.com/d/msgid/gcp-developers/32eb9ee2-f859-4ce3-8480-3fd771a2c7ec%40googlegroups.com.

[Jesse Short-Gershman]

John, this is awesome that you're helping out other developers.  We really appreciate it!

Joe, thanks for pointing out this omission in the documentation.  We'll add a short explanation of XSRF tokens soon.

To view this discussion on the web visit https://groups.google.com/d/msgid/gcp-developers/BE524B40-BCE3-4D26-B6CE-19CCDAE7C428%40gmail.com.

[John C. Bland II]

No prob man.

To view this discussion on the web visit https://groups.google.com/d/msgid/gcp-developers/CAAdCoS7v-qxcaURO%3D%3D9EGLWJ2-a7viZpZb-tzic5pJJ7FGn%3DMg%40mail.gmail.com.

[Robert Toscano]

Hey there, the XSRF token is used to prevent XSRF attacks. Cloud Print APIs return this as the "xsrf_token" field in all authenticated responses. The "access_token" is actually the token used for authentication with OAuth2. If you are using OAuth2 to authenticate to Cloud Print APIs (i.e. you include the "Authorization" header), you do not need to provide an XSRF token at all.

The response snippet you provided are from communications with Google OAuth2 APIs, not the Cloud Print APIs.

To view this discussion on the web visit https://groups.google.com/d/msgid/gcp-developers/32eb9ee2-f859-4ce3-8480-3fd771a2c7ec%40googlegroups.com.

[John C. Bland II]

Good to know.

To view this discussion on the web visit https://groups.google.com/d/msgid/gcp-developers/CAJUBiFiGyKMx%3D-bPWbiQD1DDVp5kaGKNXaovTmdDRM4H1YCerg%40mail.gmail.com.

[inergi...@gmail.com]

This is a bit of a old thread, however, there is no clear solution specified. I hope this helps anyone seeking to print using Google Cloud Print with an XSRF token (using html form action). This method bypass issues related to CORS (Cross Origin Resource Sharing) you encounter in other methods (e.g. XMLHttpRequest), specially the 'Access-Control-Allow-Origin' header not present.

When you do a '/search' on cloud print you are returned an XSRF token in JSON format (www.google.com/cloudprint/search?). This was tested while signed-in to a Google account in Chrome.

This is the code:

<html>
<body>
<form action="https://www.google.com/cloudprint/search?"

method="POST" enctype="multipart/form-data" id="submitForm">
  <input type="submit" value="Get XSRF"/>

</form>
</body>
</html>

Returns:

{
 "success": true,
 "xsrf_token": "AIp06Di8htzma8Szf-d-r5-Lb-2Xd49pdQ:1417055312350",
 "request": {
  "time": "0",

You can retrieve the returned XSRF token and use it to print from your web page as specified in the following link:

https://developers.google.com/cloud-print/docs/appDevGuide

XSRF token is valid for a period of 24 hours. When you submit a print job a new XSRF token is returned. This token can be used for your next print job if it is within 24 hours of your last print job. Else you have to get a new token from '/search'. 

[Robert Toscano]

You can also get an xsrf token using the /xsrf API to avoid having to do a heavy weight /search request

--
You received this message because you are subscribed to the Google Groups "Google Cloud Print Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gcp-developer...@googlegroups.com.
Visit this group at http://groups.google.com/group/gcp-developers.

To view this discussion on the web visit https://groups.google.com/d/msgid/gcp-developers/a89d976f-0d59-48c5-b129-2b7b6cb8070d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[John Bayley]

Is there no way to use an XMLHttpRequest?  Do you know of any method to retrieve the token programatically?