Base solution for your next web application
Open Closed

Error "Empty or invalid anti forgery header token" #2762

User avatar
0
billytsoi created

I have error 'Empty or invalid anti forgery header token' when i call by the Swagger UI index page on api function CreateUser

but if i use PostMan to call, i don't have this error. may i know what may go wrong?

Go to accepted answer
1 Answer(s)
  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi,

    CSRF is not related to non-browser clients, because of that you don't get error on postman. See <a class="postlink" href="http://aspnetboilerplate.com/Pages/Documents/XSRF-CSRF-Protection#non-browser-clients">http://aspnetboilerplate.com/Pages/Docu ... er-clients</a>.

    For the swagger ui, you can add anti forgery token to all of your requests. If you are using AspNet Core, create an index.html fine under "wwwroot/swagger/ui/"and put below content in it.

    <!DOCTYPE html>
<html>
<head>
    <meta charset="UTF-8">
    <title>Swagger UI</title>
    <link rel="icon" type="image/png" href="images/favicon-32x32.png" sizes="32x32" />
    <link rel="icon" type="image/png" href="images/favicon-16x16.png" sizes="16x16" />
    <link href='css/typography.css' media='screen' rel='stylesheet' type='text/css' />
    <link href='css/reset.css' media='screen' rel='stylesheet' type='text/css' />
    <link href='css/screen.css' media='screen' rel='stylesheet' type='text/css' />
    <link href='css/reset.css' media='print' rel='stylesheet' type='text/css' />
    <link href='css/print.css' media='print' rel='stylesheet' type='text/css' />

    <script src='lib/object-assign-pollyfill.js' type='text/javascript'></script>
    <script src='lib/jquery-1.8.0.min.js' type='text/javascript'></script>
    <script src='lib/jquery.slideto.min.js' type='text/javascript'></script>
    <script src='lib/jquery.wiggle.min.js' type='text/javascript'></script>
    <script src='lib/jquery.ba-bbq.min.js' type='text/javascript'></script>
    <script src='lib/handlebars-4.0.5.js' type='text/javascript'></script>
    <script src='lib/lodash.min.js' type='text/javascript'></script>
    <script src='lib/backbone-min.js' type='text/javascript'></script>
    <script src='swagger-ui.min.js' type='text/javascript'></script>
    <script src='lib/highlight.9.1.0.pack.js' type='text/javascript'></script>
    <script src='lib/highlight.9.1.0.pack_extended.js' type='text/javascript'></script>
    <script src='lib/jsoneditor.min.js' type='text/javascript'></script>
    <script src='lib/marked.js' type='text/javascript'></script>
    <script src='lib/swagger-oauth.js' type='text/javascript'></script>

    
    <script src='/lib/abp-web-resources/Abp/Framework/scripts/abp.js' type='text/javascript'></script>

    
    

    <script type="text/javascript">
        $(function () {
            hljs.configure({
                highlightSizeThreshold: 5000
            });
            // Pre load translate...
            if (window.SwaggerTranslator) {
                window.SwaggerTranslator.translate();
            }
            window.swaggerUi = new SwaggerUi({
                url: "/swagger/v1/swagger.json",
                dom_id: "swagger-ui-container",
                supportedSubmitMethods: ['get', 'post', 'put', 'delete', 'patch'],
                onComplete: function (swaggerApi, swaggerUi) {
                    if (typeof initOAuth == "function") {
                        initOAuth({
                            clientId: "your-client-id",
                            clientSecret: "your-client-secret-if-required",
                            realm: "your-realms",
                            appName: "your-app-name",
                            scopeSeparator: " ",
                            additionalQueryStringParams: {}
                        });
                    }
                    if (window.SwaggerTranslator) {
                        window.SwaggerTranslator.translate();
                    }
                    var csrfToken = abp.security.antiForgery.getToken();
                    var csrfCookieAuth = new SwaggerClient.ApiKeyAuthorization(abp.security.antiForgery.tokenHeaderName, csrfToken, "header");
                    swaggerUi.api.clientAuthorizations.add(abp.security.antiForgery.tokenHeaderName, csrfCookieAuth);
                },
                onFailure: function (data) {
                    log("Unable to Load SwaggerUI");
                },
                docExpansion: "none",
                jsonEditor: false,
                defaultModelRendering: 'schema',
                showRequestHeaders: false
            });
            window.swaggerUi.load();
            function log() {
                if ('console' in window) {
                    console.log.apply(console, arguments);
                }
            }
        });
    </script>
</head>

<body class="swagger-section">
    <div id='header'>
        <div class="swagger-ui-wrap">
            <a id="logo" href="http://swagger.io">swagger<span class="logo__title">swagger</span></a>
            <form id='api_selector'>
                <div class='input'><input placeholder="http://example.com/api" id="input_baseUrl" name="baseUrl" type="text" /></div>
                <div id='auth_container'></div>
                <div class='input'><a id="explore" class="header__btn" href="#" data-sw-translate>Explore</a></div>
            </form>
        </div>
    </div>

    <div id="message-bar" class="swagger-ui-wrap" data-sw-translate>&nbsp;</div>
    <div id="swagger-ui-container" class="swagger-ui-wrap"></div>
</body>
</html>
Assignee
No one
Labels
Non yet