DEVHIDE
Login Or Sign up

Simulate a login to succesfully POST to a diffrent page

64 Views Asked by At

We have a self-hosted snipe-it instance. Sadly at the moment API-token creation is only possible via Website and we are waiting for the feature.

In the mean time we trying to achieve the API-token creation via a different approach:

Since the API-token creation on the webpage shows on the web-console only a single POST command against the url http://my-snipit-instance/oauth/personal-access-tokens after clicking the button "Create New Token" and entering a name into the popup field. The POST includes following request content:

{
   "name":"Test",
   "scopes":[],
   "errors":[]
}

and as repsonse content this:

{
    "accessToken":"ey*****",
    "token":{
        "id":"f347******",
        "user_id":1,
        "client_id":1,
        "name":"Test",
        "scopes":[],
        "revoked":false,
        "created_at":"2022-09-28 15:36:24",
        "updated_at":"2022-09-28 15:36:24",
        "expires_at":"2037-09-28T13:36:24.000000Z"
    }
}

Additional the header included for the request 2 cookies:

  • snipeit_session
  • XSRF-TOKEN

As far as I understand the XSRF TOKEN prevents an XSRF attack on the server. Since the post request does not use any other authorization, I think the XSRF-TOKEN is responsible to give me access to the laravel-backend function which creates the API-Token.

Now I have the problem that I don't really understand where the XSRF-TOKEN is created. We used the login page of snipe-it to analyze the GET and POST commands. I am somehow sure, that the GET against http://my-snipit-instance/login is resposible for the initialization since the POST against this url uses the credentials.

Later we will use python for the relevant commands but at the moment curl will satisfy.

EDIT 1: At the moment I think a simple curl -b cookies -c cookies <URL> will satisfy. The only thing which I am unable to wrap my head around, the payload for POST against the http://my-snipit-instance/login looks the following:

{
    "_token": "**********", # HERE IS WHAT TOKEN?
    "prevent_autofill: ''",
    "password_fake: ''",
    "username": "webuser",
    "password": "1234567890"
}

The entry _token seems the important part, but I do not understand, from where the request is getting this value.

laravel curl cookies x-xsrf-token
Original Q&A
0

There are 0 best solutions below

Related Questions in LARAVEL

Related Questions in CURL

Related Questions in COOKIES

Related Questions in X-XSRF-TOKEN

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs

Popular Questions

.

Copyright © 2021 Jogjafile Inc.