Not working with json but working with urlencoding in Postman

Question

I am stuck, I spent almost whole day to solve this problem. I am trying to integrate csrf security to our website that is written with play framework 2.5.9 and angularjs 1.x. I added csrf things and I tried to test via postman. While it works as content-type is set to x-www-form-urlencoded however not working when it is set to application/json. It gives me

Content-Length →0
Date →Tue, 14 Mar 2017 13:22:13 GMT
error →No CSRF token found for application/json body

and my json is

{
    "username": "admin", 
    "email": "admin", 
    "password": "123456", 
    "consumer": "consumer",
    "csrfToken": "c29625a2c1c26bfbd4e74f6f6499d21f9a21aed-1489470934941-ae012aab7984ed13bfc697ea"
}

what's wrong with it? Do I miss something? Any help, appreciated.

EDIT: By the way, when I disable csrf check in application.conf by adding following lines

X-Requested-With = "*"
Csrf-Token = "nocheck"

post method works for application/json content-type.

Andriy Kuba · Accepted Answer

Play default CSRF protection filter check the

Query string
Header
application/x-www-form-urlencoded content type
multipart/form-data content type

You can check the source:

https://github.com/playframework/playframework/blob/master/framework/src/play-filters-helpers/src/main/scala/play/filters/csrf/CSRFActions.scala#L425

https://github.com/playframework/playframework/blob/master/framework/src/play-filters-helpers/src/main/scala/play/filters/csrf/CSRFActions.scala#L66

https://github.com/playframework/playframework/blob/master/framework/src/play-filters-helpers/src/main/scala/play/filters/csrf/CSRFActions.scala#L90

So what you can do:

Add csrfToken to the query string ...?csrfToken=...(not recommended)
Add crfToken to the headers
Disable it
Write your own CSRF filter

Not working with json but working with urlencoding in Postman

Answers (1)

Related Questions