I’m trying to interact with a CRM system that uses a GraphQL API. The frontend is built with AngularJS and I want to make API calls directly to the backend. Here’s what I’ve found so far:
- The login process starts with a POST request to
example.com/login with username and password in JSON format.
- After login, most requests go to
example.com/api/graphql.
- The login request sets some cookies, including XSRF-TOKEN.
I’ve tried using Postman, Python, and n8n to replicate this process, but I’m getting a 401 error with ‘Invalid CSRF token’.
Questions:
- Do I need a token for the initial login request?
- How can I get the necessary tokens or cookies for authentication?
- Is the XSRF-TOKEN cookie important for the login process?
- Should I be using a bearer token instead?
I’m really stuck on how to authenticate properly. Any help or explanations would be greatly appreciated!
hey climbinglion, looks like ur auth is a bit tight. for login, u dont need a token; just let the xsrf-token do its job. include it in follow-up requests. usually, bearer tokens come in after log in.
I’ve dealt with similar authentication setups before, and it can be tricky. Here’s what worked for me:
First, make sure your client is configured to handle cookies properly. The session cookie from the login response is key for maintaining your authenticated state.
For the CSRF protection, you’ll need to extract the XSRF-TOKEN from the cookies after login. Then, for each GraphQL request, include it in your headers as ‘X-XSRF-TOKEN’.
One thing that caught me out initially was forgetting to send the cookies with each request. Double-check that you’re including all cookies from the login response in subsequent requests.
If you’re still getting 401 errors, it might be worth checking if the API expects any additional headers. Some systems require things like a custom user agent or API version header.
Hope this helps you get unstuck!
Based on your description, it seems the CRM system employs a combination of session-based authentication and CSRF protection. Here’s what I’d suggest:
For the initial login, you don’t need a token. Send your credentials to /login as you’ve been doing. After a successful login, the server should set cookies. Ensure your client is configured to store and send these cookies with subsequent requests.
The XSRF-TOKEN is crucial. Extract it from the cookies following login, then include it in the header of your GraphQL requests, typically as ‘X-XSRF-TOKEN’.
For GraphQL requests, rely on the session cookie for authentication and include the XSRF token in the header. If issues persist with 401 errors, double-check that all cookies and headers are properly handled and forwarded from the login response.