I'm trying to make a REST POST call from Data Hub graph to a service on an ABAP system. Naturally, it involves CSRF.

When I used that service from programming languages, like Java/Python, I used to make two calls (each with Basic authorization scheme): 1. GET with x-csrf-token=fetch header, 2. POST with an extra header x-csrf-token=[value from step1]. And it worked.

Now, with Data Hub I'm struggling, and I made a few attempts with different design:

1. Open API Client operator, where I set useCsrfToken config setting to true. Getting CSRF validation error.

The documentation says, "If set to true, the client automatically retrieves a csrf-token at its first request and uses it in its subsequent requests", but it doesn't explain how a subsequent request should be made.

2. Two chained calls with Open API Client operator. In the first one I set includeResponseHeaders=x-csrf-token, in the second I set useCsrfToken to true. Still getting CSRF validation error.

3. Adding a JS Message operator between the two above calls, where I put something like:

msg.Attributes['openapi.header_params.x-csrf-token'] = inattributes['openapi.header.x-csrf-token'];

Here I am trying to add a header parameter x-csrf-token to the value I received from the first call. Same error.

3. Using HTTP Client operator after the JS Message operator, where I would set all required headers (except Authorization) in the JS Message, and leave Authorization to HTTP Client. Getting Unauthorised error.

4. Trying btoa() function to encode user:password token and add it into HTTP headers JS Message operator. Apparently, Data Hub's Javascript engine is not aware of btoa().

I would say, the design #1 is the one that should have worked, and all others would not be needed. Am I missing anything?