Fails to get CSRF token

[applejag]

Originally posted by @thomaslagies in https://github.com/jilleJr/rootless-personio/issues/5#issuecomment-1489853882

---

Issue confirmed, I'm receiving the same error, and this was known to work just a week ago.

[applejag]

Personio have changed the way you obtain the CSRF token. Now it's all cookies, which means less work for us because we can just let the cookie jar persist that.

The user ID was also removed from the HTML, so had to figure out new way to obtain that. Found GET /user-activity/api/v1/pendo which seems good enough for the job. Don't know what that endpoint actually is used for, but it'll do.

The frontend seems to get the user ID from the HTML in a subsequent call to GET /, but the GET /user-activity/api/v1/pendo call is way smaller (3.69 kB vs 831 B, respectively) an more predictable with JSON parsing instead of HTML regex matching.

[applejag]

@thomaslagies this has now been fixed. Please try again on the new version via:

go install github.com/jilleJr/rootless-personio@a20d839

Using @latest can give a cached version from Google's Go proxy. Using commit hash will ensure you get the latest version

[thomaslagies]

@jilleJr Looking good!

Now I encounter ERR Failed: employee ID not found: non-2xx status code: 401 Unauthorized but I guess thats due the fact we are using oAuth and not a direct login. I provided my AzureAD User:Pass

[applejag]

Ah, OK, well that complicates things a lot.

This cannot be solved without doing some HTTP intercept hacks in a custom web browser window, because after the login then AzureAD will probably just redirect back to x.personio.de with the JWT.

As the Personio instance I'm using doesn't use OAuth, then this becomes borderline impossible for me to develop.

If you want to give it a shot, then please go ahead. But I'm sorry, can't help you on this one

[thomaslagies]

No worries, I see if I can do something myself here. If so, I keep you updated :)