Search code examples
karatecsrf-token

Karate API request with csrftoken sent twice

Main feature file login-with-cookie.feature

Feature: Login using API

  Scenario: login with csrftoken

    * call read('file:src/test/java/lib/accounts/login/get-middleware-token.feature')
    * print response
    * def csrfmiddlewaretoken = response.token
    * print csrfmiddlewaretokenOnly
    * call read('file:src/test/java/lib/accounts/login/login.feature') { token: '#(csrfmiddlewaretokenOnly)' }

And get-middleware-token.feature looks like this:

Feature: Middleware token

  Scenario: get csrfmiddlewaretoken
    Given url baseUrl + '/token/'
    When method GET
    Then status 200

And login.feature is

Feature: Login using API
  
  Scenario: login
    Given url baseUrl + '/accounts/login/'
    And form field csrfmiddlewaretoken = token
    And form field login = user
    And form field password = password
    And form field next = '/'
    When method POST
    Then status 302

However, when it's run, karate is sending 2 requests for the login API (I'm assuming because the first one is not getting the session_id), and in the end not login the user in - getting unauthorized (most likely because it's now dragging 2 csrftokens in the second request).

10:11:15.933 request:
1 > POST https://stage.pollyex.com/accounts/login/
1 > Content-Type: application/x-www-form-urlencoded
1 > Cookie: csrftoken=<token1>
1 > Content-Length: 132
1 > Host: stage.pollyex.com
1 > Connection: Keep-Alive
1 > User-Agent: Apache-HttpClient/4.5.13 (Java/11.0.18)
1 > Accept-Encoding: gzip,deflate
csrfmiddlewaretoken=<middlewaretoken>&login=user&password=password&next=%2F

10:11:16.207 request:
2 > POST https://stage.pollyex.com/accounts/login/
2 > Content-Type: application/x-www-form-urlencoded
2 > Cookie: csrftoken=<token1>
2 > Cookie: csrftoken=<token2> messages=<messages>; sessionid=<session-id>
2 > Host: stage.pollyex.com
2 > Connection: Keep-Alive
2 > User-Agent: Apache-HttpClient/4.5.13 (Java/11.0.18)
2 > Accept-Encoding: gzip,deflate
csrfmiddlewaretoken=<middlewaretoken>&login=user&password=password&next=%2F

I'm doing the same exact call with cypress and it works with no problem. Any idea?

Solution

  • Confirmed answer from comments thread, set * configure followRedirects = false.