I’m working with a CRM application that has a Symfony backend and uses AngularJS for the frontend. The system runs on version 8.x and most API communication happens through GraphQL.
I want to make API requests to the backend using the same endpoints that the Angular frontend uses. When I check the browser’s network tab, I can see that authentication starts with a call to mysite.com/login, followed by requests to mysite.com/api/graphql.
The login request shows:
POST request
200 response
Referrer Policy: strict-origin-when-cross-origin
The request payload contains basic JSON with user credentials:
{
"username": "myuser",
"password": "mypass"
}
When I try to replicate this in Postman, Python, or n8n, I get a 401 error saying “Invalid CSRF token”. This suggests I need some kind of token before I can even log in.
Looking at the browser request headers, I see cookies like:
How do I get this initial token? The frontend somehow obtains it on the first page load, but I can’t figure out the process. Should I be using bearer token authentication in Postman? Where would I get that token from initially?
There’s no API documentation available, only the working AngularJS code. How can I properly authenticate with this GraphQL API?
I ran into the same issue with a Symfony application that had CSRF protection enabled. Symfony generates CSRF tokens and expects them in subsequent requests. To resolve this, first make a GET request to any page that renders the CSRF token, like the login page or the main application page. The server will respond with cookies, including the XSRF-TOKEN. Use this token along with the session cookies in your login POST request headers. Typically, you’ll need to provide the CSRF token in both the cookies and as a header (often X-CSRF-TOKEN or X-XSRF-TOKEN). After successful authentication, ensure you maintain the session by including all cookies from the login response in your GraphQL calls.
yeh, for sure! just load the homepage to get that XSRF token. make a GET request to the login page b4 you do the POST. it’ll set the cookies with CSRF token, then use them in your login req. should do the trick! good luck!
Yes, the CSRF token is likely the source of your problem. I encountered a similar situation with a Symfony application recently, and here’s the solution that worked for me. The CSRF token is provided in the initial HTML response when you access the login page directly in a browser, as Symfony automatically injects it into the page source or through JavaScript. Your API client should do the same: start by making a GET request to the login page endpoint (not just the homepage) to retrieve the initial cookies and session. Check the response body for hidden form fields or JavaScript variables that may contain the CSRF token. In some instances, Symfony apps may offer a dedicated endpoint like /api/csrf-token or include it within meta tags. Once you have both the session cookies and the CSRF token, ensure to attach the token in your login POST request header as X-CSRF-TOKEN while retaining those session cookies. This should address the 401 error and enable your authentication with the GraphQL API.