Skip to Content
Product Information
Author's profile photo Ronit Nath

Configuring X-CSRF using Actions Editor

Concept and Need:

A CSRF token is a unique, secret, and unpredictable value that is generated by the server side and transmitted to the client to prevent CSRF attacks. The client includes the token in every subsequent modifying (create, update, and delete) request. The server-side application validates the request and rejects, if the expected token is missing, invalid, or expired. This protects the application from unauthorised modification of the database by a malicious entity.

Most SAP APIs have X-CSRF enabled for the create, update and delete operations to protect the APIs against CSRF attacks. As a part of this feature, we are providing the option to capture an action as X-CSRF relevant. Since GET requests do not change the state of a database, X-CSRF capability cannot be configured for a GET action.

Parent Blog:

 Actions Editor – Feature List, Usage and Maintenance of Actions Project

Steps to configure the token fetch endpoint for an action:

1. Choose Enable X-CSRF from the overflow menu. This option will only be available for database modifying operations (POST, PUT, PATCH, DELETE).

After the token fetch endpoint is configured, it will appear on the top right hand corner of the action details section as shown below.

2. Enable X-CSRF dialog opens. In most cases, the endpoint to fetch the X-CSRF token is the same as the endpoint that needs to be called for a modifying action, hence it is shown in the dialog by default. Enter the desired value for the token fetch endpoint and press Enable.

Note: In certain cases, the GET call to the token fetch endpoint can return a huge response. We suggest adding $top = 1 to the endpoint or just having / in such cases. E.g., the endpoint can be /A_BusinessPartner?$top=1 or  /.

3. To update the token fetch endpoint, choose Update X-CSRF from the overflow menu.

4. Update X-CSRF dialog opens. Enter the new value for the token fetch endpoint and press Update.

5. To disable X-CSRF, click on Remove. The Remove X-CSRF dialog will show up. Click on Remove X-CSRF to disable the functionality for the given action.

 

Note:  It is possible to disable/enable CSRF at the destination level e.g., X-CSRF could be enabled in the production environment but disabled in the development environment. To achieve this, we need to add a boolean property sap.lcnc.fetchXcsrf under the Additional Properties section of the destination configuration and set its value to true/false.

 

Thanks for reading and I hope it helped to understand the concept of configuring X-CSRF using Actions Editor. Please feel free to leave a comment if there are any questions and I would be happy to receive any feedback.

References

 

Assigned Tags

      8 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Giampaolo Bolzonella
      Giampaolo Bolzonella

      Hi,

      I create a new oData on SAP onPrem with SEGW and all works fine with Postman.

      I used this resourse to convert $metadata into openAPI3 json to upload into Build PA when I created my action.

      The import seems correctly and I can do GET calls, but option Enable X-CSRF is missing.

      Is there any parameter to add into SEGW or openAPI json to enable this options?

      Thanks

      Author's profile photo Giampaolo Bolzonella
      Giampaolo Bolzonella

      SOLVED!

      The options has been moved into Project Setting.

      Author's profile photo Giampaolo Bolzonella
      Giampaolo Bolzonella

      In order to be able to call the service with the CSRF token from a process it is necessary to enter the complete path in the Token Fetch End Point field

      E.g.: If the Resource Path is

      /sap/opu/odata/sap/SERVICE_SRV

      in the Token Fetch End Point you need to write

      /sap/opu/odata/sap/SERVICE_SRV/action

       

      Now I have another issue:

      Action 'xxxxxxxxx' failed with the following error: 'Error thrown from action runtime library: Failed to read sap.lcnc.fetchXcsrf flag from destination XXXXXXX: Cannot destructure property 'originalProperties' of 'object null' as it is null.'.

      In my destination I defined property sap.lcnc.fetchXcsrf = true.

      Some advices?

      Thanks

      Author's profile photo Ronit Nath
      Ronit Nath
      Blog Post Author

      Hi Giampaolo,

      Following can be the reasons behind the error you are facing:

      1. If the destination variable was not mapped to an actual destination before deploying the process.
      2. If the destination does not exist in the BTP subaccount.

      We have made some changes in our error messages to differentiate between the cases 1 and 2. Could you run the action again and post the error message in the reply? This will help in analysing the issue further.

      Regards,

      Ronit

      Author's profile photo Giampaolo Bolzonella
      Giampaolo Bolzonella

      I try to explain me better.

      I created an action to store data into a custom table in ECC on Premise and when I test this action (with defined destination), it works fine.

      Instead, when i use the same action in a Process Automation, I have the error.

      I tried to delete and re-create the BTP destination, but nothing changed.

      The action into Process Automation has the same version release.

      Thanks and Best regards,
      Giampaolo

      Author's profile photo Ravish Ranka
      Ravish Ranka

      I had similar issue, This got resolved after changing in API specification file. Check if you have Parameter X-CSRF-Token in API specification file. If it is there then remove it, As X-CSRF-Token is by default added in POST call from framework.

       

      Author's profile photo Ronit Nath
      Ronit Nath
      Blog Post Author

      Hi Giampaolo,

      Thank you for your response. I understand that the destination against which the action was executed exists in the BTP subaccount and the execution works perfectly in Action Editor.

      Could you please confirm whether the destination was chosen before executing the action in Process Automation? If a destination is not chosen and the user proceeds with executing the action in Process Automation, in that case the following error will be thrown:

      The name of the destination is not defined. Please provide a valid destination name
      Can I request you to execute the action again in Process Automation? If an error is thrown, could you please post the error logs in the reply?
      Thanks and Best Regards,
      Ronit
      Author's profile photo Keerthana Jayathran
      Keerthana Jayathran

      Hi Ronit Nath ,

      I am trying to enable the X-CSRF-Token in one of the Integration Content API(DELETE operation) but when i am testing, getting below error.

      I have enabled the X-CSRF-Token in the settings and also added the token endpoint path as /.

      Please help me with this query.

      Thanks in advance.

      Regards,
      Keerthana