Unable to get/access CSRF Token in login api response headers #20265

Troubleshooting
1

Summary

We are using matter most APIs in our frontend application. For login, we are hitting our own server, which is again hitting the matter most server.
In general, when I check the matter most deployed applications, they are sending a few headers in the login API response, which are used to set for subsequent requests.
Screenshot 2022-05-23 at 7 29 15 PM
But when we hit the login API from our server, we are not getting the CSRF token in the response headers. It’s the same when I hit the API from the postman
Screenshot 2022-05-23 at 7 29 56 PM

Screenshot 2022-05-23 at 7 30 03 PM

Is there a way to get the CSRF cookie in the login API response header?

Steps to reproduce

As mentioned above

Expected behavior

We should be able to access the CSRF token in the login API response, even when we hit it from our server.

Observed behavior (that appears unintentional)

NA

Possible fixes

NA

2

Hi,

I’m not sure if this is what you’re looking for, but it seems as if this post talked about that already:

When I login to my server using this API call, I do only get the token, no additional headers (that’s probably what you’re seeing):

$ curl -i -d '{"login_id":"myusername","password":"mypassword"}'  https://mydomain.com/api/v4/users/login
HTTP/1.1 200 OK
content-type: application/json
token: h1mjokgq5jfn8noozmx1c16e5o
vary: Accept-Encoding
x-request-id: 9k8ce5j6ppgbudi8ej6tmc8rwo
x-version-id: 7.1.0.7.1.0-rc3.51c4691d7303fa048354e534e709415a.true
date: Fri, 15 Jul 2022 15:08:24 GMT
content-length: 713
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-frame-options: DENY
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
referrer-policy: no-referrer-when-downgrade

But when I add an additional request header (X-Requested-With: XMLHttpRequest), things look different:

$ curl -i -d '{"login_id":"username","password":"password"}' -H "X-Requested-With: XMLHttpRequest" https://mydomain.com/api/v4/users/login
HTTP/1.1 200 OK
content-type: application/json
set-cookie: MMAUTHTOKEN=869dbg9yrbgc3yynzocrc79n7y; Path=/; Expires=Sun, 14 Aug 2022 15:10:28 GMT; Max-Age=2592000; HttpOnly; Secure
set-cookie: MMUSERID=a95dgu7c5bbuik8xk5xhpdr1hc; Path=/; Expires=Sun, 14 Aug 2022 15:10:28 GMT; Max-Age=2592000; Secure
set-cookie: MMCSRF=hicnidufpi8i7jfnmpiwoi3yie; Path=/; Expires=Sun, 14 Aug 2022 15:10:28 GMT; Max-Age=2592000; Secure
token: 869dbg9yrbgc3yynzocrc79n7y
vary: Accept-Encoding
x-request-id: qy4i8ygu1pdwbqeewzexua7o5c
x-version-id: 7.1.0.7.1.0-rc3.51c4691d7303fa048354e534e709415a.true
date: Fri, 15 Jul 2022 15:10:28 GMT
content-length: 713
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-frame-options: DENY
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
referrer-policy: no-referrer-when-downgrade

Is that probably what you’re looking for?