How to "login" into a GraphQL API? How to retrieve the token (via Postman / Python / n8n)

Question

I'm using a CRM system which is built up with a Symphony backend and an AngularJS frontend. In the current version 8.x, most of the frontend is running via GraphQL.

I'm trying to access the backend via API calls - those should be the same, that Angular is using as well, according to research in the forms and hints in the code.

In the browser, I can can see the network tab via the inspector.

url.com/login

is one of the first calls during login. After that, most calls are to

url.com/api/graphql

As for the login, I see:

POST
200 Status code and
Referrer Policy: strict-origin-when-cross-origin

Payload is just the JSON with username and password:

The cookies tab:

Now, I'm trying to use either:

1. n8n
2. Python
3. Postman

For doing the same, but to no avail. To test / understand things better, first in Postman:

401 - "error": "Invalid CSRF token."

That means, for the login I already need a token? Is this something like a session? I've tried a lot around with Params, Body, different Payload formats etc. But that doesn't seem to be the issue.

Back in my browser, in the request header to the /login request, I can see:

Cookie: sugar_user_theme=suite8; ck_login_language_20=en_us; ck_login_id_20=1fb445cf-beb5-8516-e1c7-667d0c65d69e; ck_login_theme_20=suite8; LEGACYSESSID=eru2qr049asl1j2lce92ctqc5d; PHPSESSID=5kic2vltncem33iann1gg1mh6f; XSRF-TOKEN=WAdBVrC1HOFzxAkzuoWMFY-5YgssbvtfSZWxx4xzJgc

Is this the token I'd need to supply in Postman? But where did the request to login get it from, if it's basically the first page load after receiving the POST form on the web application?

In Postman, there is the option to use Authorization - I see a bearer token. Is that the same? And then the question again: Where to get it from?

Unfortunately, there is 0 documentation for this topic available, but a lot of AngularJS code which works (the CRM - SuiteCRM, if it matters as well). Just, I can't seem to get it working.

Answer 1

Quick Solution:

1. Make a GET request to the SuiteCRM Login page.
2. Extract the Token from the rendered Login page.
3. Add this Token value to your custom Postman request.
4. Submit, voila!

===============================================

Explanation

Symfony side:

CSRF Token are multi-layered in SuiteCRM-Core, and it is currently impossible to get rid of those in the SuiteCRM 8.* application. I can give you some hints for a deep div, though it won't work (it didn't in my case, and I did extensive debugging).

1. Try disabling the nelmio bundles from the yaml files. This is the package responsible for the CSRF Security. However, it will break the whole application.
2. Try disabling the thrown Exceptions whenever validating the CSRF Tokens. It will take you to the Event Dispatchers within Symfony. There are almost 27 Event Dispatchers that listen to the incoming Kernel Requests (at the moment). This will further take you to the Symfony Containers where Token-based session and bags are managed, but still disallow access to any data (due to the missing Tokens in Request).

Angular side:

Using standalone Angular instance is not supported at the moment by SuiteCRM 8.* versions. Therefore, it is no use to review the Angular source code to get the Token / CSRF Token.

At the moment, you can only develop using the --watch argument to the Build command.

Reference: https://community.suitecrm.com/t/suitecrm-8-5-live-server-with-ng-serve/91542/2