Hi York,

Glad it worked for you. The original intention of the blog post was to provide the simplest solution possible for “real one-click” approach. Setting up variables and including them in the URL – it’s already not one click but many, don’t you agree? ?

And Postman… Well, Postman doesn’t help in pre-scripts much unfortunately. The script doesn’t resolve the variables by itself. Unless we do something about it. For example, replace the following line from the original script:

csrfRequest.url = pm.request.url + '?$top=1';

with a bit extended version:

csrfRequest.url = pm.variables.replaceIn(pm.request.url) + '?$top=1';

and you’re good to go even with variables in the URL ?

Hi 05555 and pavel_lobach , long time no see, hoping you guys been well.

It has been quite some time since I last used Postman. I moved to Insomnia while ago. Feels fresher and lighter to my personal taste. And csrf token handling can be easily achieved there without any script.

But back to your question. The script works just fine even for $batch requests with C4C OData API. I just checked. Yes, it is making an erroneous call for $batch to fetch a token (for example, to .../sap/c4c/odata/v1/c4codataapi/$batch?$top=1). Yes, it gets 400 status code in response. But still even for a such faulty call, C4C OData API provides a valid CSRF token back. 

You can check how it goes in Postman Console (menu View -> Show Postman Console) where the script writes all console.log outputs to. You can even see there the GET call to fetch the token. And check there the response/request if any doubts.

Hi Andrei,

Many thanks for this blog! The script works fine for me if I provide the authorization information (e.g. username / password for basic auth.) at the request itself. But it does not work if I provide the authorization information on the parent (folder or collection). It seems like pm.request.clone(); does not inherit authorization information from the parent. Any idea how to get the authorization information from the parent in the pre-requisite script?

Best regards,
Nils

Hi Andrei.
Your knowledge is very valuable. You are right about $batch requests, they work as expected. I was inattentive and didn't notice that in the header I only deactivated the token, not deleted it. After removing it from the header, it works fine. Thanks for taking the time and checking it again.

Hi Nils,

I'd suggest checking the following open Postman issue and its duplicates. Seems like nothing we can do to properly inherit the auth at the moment.

https://github.com/postmanlabs/postman-app-support/issues/4396

console.log('Pre-request Script from Request start');



// We don't need to do anything if it's GET or x-csrf-token header is explicitly presented

if (pm.request.method !== 'GET' && !(pm.request.headers.has('x-csrf-token'))) {



    var csrfRequest = pm.request.clone();



    csrfRequest.method = 'GET';

    csrfRequest.body = '';



    // HEAD request to OData service document URL is fasted approach to get CSRF token.

    var urlString = csrfRequest.url.toString().toLowerCase() + '/';

    var v4Index = urlString.indexOf('/sap/opu/odata4/');



    // OData V4 Service (URL: https://host:port/sap/opu/odata4/<service group namespace>/<service group>/<respository>/<service namespace>/<service>/<service version>)

    if (v4Index >= 0) { 

        csrfRequest.method = 'HEAD';

        // Calculate OData V4 Service Document URL (w/o any Entity Sets, Query Options etc.)

        csrfRequest.url = urlString.slice(0, v4Index + 16) + urlString.slice(v4Index + 16).split('/', 6).join('/') + '/';

    }

    else {

        var v2Index = urlString.indexOf('/sap/opu/odata/');

        /// OData V2 Service (URL: https://host:port/sap/opu/odata/<service namespace>/<service>)

        if (v2Index >= 0) { // 

            csrfRequest.method = 'HEAD';

            // Calculate OData V2 Service Document URL (w/o any Entity Sets, Query Options etc.)

            csrfRequest.url = urlString.slice(0, v2Index + 15) + urlString.slice(v2Index + 15).split('/', 2).join('/') + '/';

        }

        else if (pm.request.method === 'POST') { // Fallback in case service document URL could not be calculated

            // for POST method usually it is ....<something>Collection in the URL

            // so we add $top=1 just to quickly get csrf token; 

            // for PUT, PATCH or DELETE the same URL would be enough,

            // because it points to the actual entity

            csrfRequest.url = pm.request.url + '?$top=1';



        }

    }



    csrfRequest.upsertHeader({

        key: 'x-csrf-token',

        value: 'fetch'

    });





    pm.sendRequest(csrfRequest, function (err, res) {

        console.log('pm.sendRequest start: ' + csrfRequest.method + ' ' + csrfRequest.url);

        if (err) {

            console.log(err);

        } else {

            console.log('Status: ' + res.code + ' (' + res.status + ')');

            var csrfToken = res.headers.get('x-csrf-token');

            if (csrfToken) {

                console.log('csrfToken fetched:' + csrfToken);

                pm.request.headers.upsert({

                    key: 'x-csrf-token',

                    value: csrfToken

                });

            } else {

                console.log('No csrf token fetched');

            }

        }

        console.log('pm.sendRequest end');

    });

}



console.log('Pre-request Script from Request end');

Why using

'?$top=1'

?

Isn't it easier to use the HEAD http method to avoid receiving body at all?

Great, Nils! I like what you did there.

However, the primary use case for this script (at least when I was crafting it) was to handle SAP C4C OData requests. And SAP C4C OData API doesn't support HEAD method. Not at the time of writing (it doesn't support it still - I just checked).