CSRF doesn't work when using API action in App Flow

kfawcett · February 20, 2025, 3:16pm

Wappler Version: 7.0.0 Beta 17

Expected behavior

Sending CSRFToken via an API Action (not a Server Connect Form) should work the same as a Server Connect form

Actual behavior

Invalid CSRFToken error occurs. I'm unsure if this is the cause, but I do not see cookies (.sid and .auth) being sent in the API action headers in an App Flow. I also do not see an option to add Credentials.

How to reproduce

Create an API action that performs a POST against a Wappler-created server with an Input Data field of CSRFToken.

Apple · February 20, 2025, 3:17pm

Server-side or client-side?

kfawcett · February 20, 2025, 3:21pm

Clients-side. I have an App Flow, that sends data from the client to the server for processing before returning it to the client to send to a third-party API.

Apple · February 20, 2025, 3:25pm

Can you show a screenshot of your API Action properties?

(I don't know how to solve, don't expect a reply from me)

kfawcett · February 20, 2025, 3:28pm

This is the client-side app flow calling the Wappler server. The rfc822Streamer calls the server, then sends the results back to the client. Further down in the App Flow the results from the rfc822Streamer are passed to another api action that calls a third-party api. The CSRFToken is one of the Input Data fields.

kfawcett · February 20, 2025, 3:44pm

Found a workaround. I was able to add credentials: true, in the App Flow code editor view. It would be ideal if the UI had the Credentials flag.

 api.send: {
                  name: "rfc822Streamer",
                  output: true,
                  outputType: "object",
                  method: "POST",
                  url: "https://app.myapp.co/api/v1/mail",
                  credentials: true,

system · February 22, 2025, 3:45pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.