I’m working with a CRM application that has a Symfony backend and uses AngularJS on the frontend. The newer version relies heavily on GraphQL for API communication.
I want to make API calls to the backend using the same endpoints that the Angular frontend uses. When I check the browser’s network tab, I can see the authentication flow.
The initial call goes to domain.com/authenticate and then subsequent requests hit domain.com/api/graphql.
For the authentication request, I observe:
POST method
200 response status
Request payload contains credentials in JSON format
When I try to replicate this in Postman, I get a 401 error saying “Invalid CSRF token”. This suggests I need some kind of token before I can even log in.
Looking at the browser request headers, I notice several cookies including an XSRF-TOKEN. But I’m confused about how to obtain this token initially since it appears to be required for the first login request.
I’ve tried different approaches in Postman, Python, and n8n but haven’t been successful. The bearer token option in Postman’s authorization section might be relevant, but I still need to figure out where to get the initial token from.
How do I properly authenticate with this GraphQL API and obtain the necessary tokens programmatically?
Been there with Symfony CSRF issues. Hit your main app URL (domain.com) before going to /authenticate - usually kicks off the token generation. Some setups need you to visit the frontend first. Also check for a /token or /csrf endpoint - lots of apps expose these for API clients.
This CSRF token issue is super common with Symfony apps. That XSRF-TOKEN cookie gets generated automatically when the page first loads. Here’s what you need to do: make a GET request to any public endpoint first - could be the login page or any other public route. The server will drop that XSRF-TOKEN cookie in the response. Grab it and stick it in your auth request headers. For your POST request, add the token as an X-XSRF-TOKEN header using the cookie value. Postman and most HTTP clients can save cookies from one request and automatically use them in the next. After you authenticate successfully, you’ll get session cookies or JWT tokens for your GraphQL requests. The trick is that CSRF protection needs this initial handshake - browsers handle it automatically when loading the app, but API clients have to do it manually.
I faced a similar situation with a Symfony application utilizing CSRF protection. To resolve the issue, I recommend starting with a GET request to any accessible endpoint, like the login page or root URL. This will generate the necessary CSRF token, typically found in the response cookies. Once you have that token, include it as an X-CSRF-Token header in your subsequent POST requests for authentication. Additionally, ensure that you’re sending standard headers like X-Requested-With: XMLHttpRequest if required by the API. This approach effectively sets up the session and allows for successful authentication.