I'm new to ABP and trying the startup app.
I encountered an issue when calling a POST method from Postman that relates to missing anti-forgery token (works on Swagger).
2021-08-03 21:21:20.702 +08:00 [ERR] The required antiforgery cookie ".AspNetCore.Antiforgery.7jj1GDhyCAk" is not present.
2021-08-03 21:21:20.702 +08:00 [INF] Authorization failed for the request at filter 'Volo.Abp.AspNetCore.Mvc.AntiForgery.AbpAutoValidateAntiforgeryTokenAuthorizationFilter'.
In ABP docs, it is stated "Server side validates the antiforgery token only for same and cross site requests made by the browser. It bypasses the validation for non-browser clients."
https://docs.abp.io/en/abp/latest/CSRF-Anti-Forgery#the-solution
Isn't Postman considered as a non-browser client? I can disable this in the global configuration or by adding [IgnoreAntiforgeryToken] tag to the method but this would mean requests from browser clients will be disabled for the anti-forgery token as well.
What I wish to achieve is as per stated in the documentation which should work out of the box.
Any pointers on this would be great. Thanks in advance.
Edited - curl request from postman
curl --location --request POST 'https://localhost:44363/api/books/sample' \
--header 'Content-Type: application/json' \
--header 'Cookie: XSRF-TOKEN=CfDJ8KDhwi9YECxIjH1DYIRcrRA1QDj47MryZactcgqszZObbSePQQ8U_8wyUipzzoRXycD7ugQp_XcZX0mtwGN41iANaB5JatRe2tV_1m1MlB4nnccUX5TiecdPmyKYdiNATo0-97249LhhVTi7CiopgwM_Dph5Cw6ZPnOj_IPT-PiDkr1nL3QIxylmqxaUaiwzsw' \
--data-raw '{
"value": 8
}'
Thanks @aaron for the answer as stated in the comment.
For those who are facing the same issue, if you called /connect/authorize in Postman, it will auto add the XSRF-TOKEN to the header which is hidden.
Click on "Cookies" and remove the XSRF-TOKEN from it.