Base solution for your next web application
Open Closed

Error "Empty or invalid anti forgery header token" #2762


User avatar
0
billytsoi created

I have error 'Empty or invalid anti forgery header token' when i call by the Swagger UI index page on api function CreateUser

but if i use PostMan to call, i don't have this error. may i know what may go wrong?


1 Answer(s)
  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi,

    CSRF is not related to non-browser clients, because of that you don't get error on postman. See <a class="postlink" href="http://aspnetboilerplate.com/Pages/Documents/XSRF-CSRF-Protection#non-browser-clients">http://aspnetboilerplate.com/Pages/Docu ... er-clients</a>.

    For the swagger ui, you can add anti forgery token to all of your requests. If you are using AspNet Core, create an index.html fine under "wwwroot/swagger/ui/"and put below content in it.

    <!DOCTYPE html>
    <html>
    <head>
        <meta charset="UTF-8">
        <title>Swagger UI</title>
        <link rel="icon" type="image/png" href="images/favicon-32x32.png" sizes="32x32" />
        <link rel="icon" type="image/png" href="images/favicon-16x16.png" sizes="16x16" />
        <link href='css/typography.css' media='screen' rel='stylesheet' type='text/css' />
        <link href='css/reset.css' media='screen' rel='stylesheet' type='text/css' />
        <link href='css/screen.css' media='screen' rel='stylesheet' type='text/css' />
        <link href='css/reset.css' media='print' rel='stylesheet' type='text/css' />
        <link href='css/print.css' media='print' rel='stylesheet' type='text/css' />
    
        <script src='lib/object-assign-pollyfill.js' type='text/javascript'></script>
        <script src='lib/jquery-1.8.0.min.js' type='text/javascript'></script>
        <script src='lib/jquery.slideto.min.js' type='text/javascript'></script>
        <script src='lib/jquery.wiggle.min.js' type='text/javascript'></script>
        <script src='lib/jquery.ba-bbq.min.js' type='text/javascript'></script>
        <script src='lib/handlebars-4.0.5.js' type='text/javascript'></script>
        <script src='lib/lodash.min.js' type='text/javascript'></script>
        <script src='lib/backbone-min.js' type='text/javascript'></script>
        <script src='swagger-ui.min.js' type='text/javascript'></script>
        <script src='lib/highlight.9.1.0.pack.js' type='text/javascript'></script>
        <script src='lib/highlight.9.1.0.pack_extended.js' type='text/javascript'></script>
        <script src='lib/jsoneditor.min.js' type='text/javascript'></script>
        <script src='lib/marked.js' type='text/javascript'></script>
        <script src='lib/swagger-oauth.js' type='text/javascript'></script>
    
        
        <script src='/lib/abp-web-resources/Abp/Framework/scripts/abp.js' type='text/javascript'></script>
    
        
        
    
        <script type="text/javascript">
            $(function () {
                hljs.configure({
                    highlightSizeThreshold: 5000
                });
                // Pre load translate...
                if (window.SwaggerTranslator) {
                    window.SwaggerTranslator.translate();
                }
                window.swaggerUi = new SwaggerUi({
                    url: "/swagger/v1/swagger.json",
                    dom_id: "swagger-ui-container",
                    supportedSubmitMethods: ['get', 'post', 'put', 'delete', 'patch'],
                    onComplete: function (swaggerApi, swaggerUi) {
                        if (typeof initOAuth == "function") {
                            initOAuth({
                                clientId: "your-client-id",
                                clientSecret: "your-client-secret-if-required",
                                realm: "your-realms",
                                appName: "your-app-name",
                                scopeSeparator: " ",
                                additionalQueryStringParams: {}
                            });
                        }
                        if (window.SwaggerTranslator) {
                            window.SwaggerTranslator.translate();
                        }
                        var csrfToken = abp.security.antiForgery.getToken();
                        var csrfCookieAuth = new SwaggerClient.ApiKeyAuthorization(abp.security.antiForgery.tokenHeaderName, csrfToken, "header");
                        swaggerUi.api.clientAuthorizations.add(abp.security.antiForgery.tokenHeaderName, csrfCookieAuth);
                    },
                    onFailure: function (data) {
                        log("Unable to Load SwaggerUI");
                    },
                    docExpansion: "none",
                    jsonEditor: false,
                    defaultModelRendering: 'schema',
                    showRequestHeaders: false
                });
                window.swaggerUi.load();
                function log() {
                    if ('console' in window) {
                        console.log.apply(console, arguments);
                    }
                }
            });
        </script>
    </head>
    
    <body class="swagger-section">
        <div id='header'>
            <div class="swagger-ui-wrap">
                <a id="logo" href="http://swagger.io">swagger<span class="logo__title">swagger</span></a>
                <form id='api_selector'>
                    <div class='input'><input placeholder="http://example.com/api" id="input_baseUrl" name="baseUrl" type="text" /></div>
                    <div id='auth_container'></div>
                    <div class='input'><a id="explore" class="header__btn" href="#" data-sw-translate>Explore</a></div>
                </form>
            </div>
        </div>
    
        <div id="message-bar" class="swagger-ui-wrap" data-sw-translate>&nbsp;</div>
        <div id="swagger-ui-container" class="swagger-ui-wrap"></div>
    </body>
    </html>