vets-api EKS upgrade effort Postman - third token discovery

[IGallupSoCo]

Description

Given the promise that the internal Postman spike has delivered, we need to ascertain the why and how of a third token that the current PM collection does not capture. Per Trevor Bosaw on the Identity team, the X-CSRF-Token may be required for PUT actions.

Tasks

• [x] Determine how to capture the third token
• [ ] Establish the specifics on what authenticated endpoint calls and actions require it to be properly tested

Acceptance Criteria

• [x] The X-CSRF-Token has been captured by a Postman test script
• [ ] The Token is used to successfully test an authenticated endpoint that requires it

[IGallupSoCo]

I have captured the X-Csrf-Token with a request that Eric helped me to clarify.

However, leveraging that token for PUT or other non-GET requests is yet to pan out. I have been attempting to ascertain what is missing for authentication purposes, while also preparing the collection for handoff to Peter for the upcoming sprint.

[IGallupSoCo]

curl 'https://dev-api.va.gov/v0/user' \ -X 'GET' \ -H 'Cookie: vagov_access_token=eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJ2YS5nb3Ygc2lnbiBpbiIsImF1ZCI6WyJ2YW1vYmlsZSIsInZhd2ViIl0sImNsaWVudF9pZCI6InZhd2ViIiwianRpIjoiZWVlZDdlNmEtNDk3Yi00Yjc2LWI1ZmMtMjFhZGFiYTRlMTUzIiwic3ViIjoiZWJmMmU2ZWQtNTNiNi00MDlkLWEzMGEtY2M5OGFlMmFkYzAxIiwiZXhwIjoxNzE4Mzg4MTc1LCJpYXQiOjE3MTgzODc4NzUsInNlc3Npb25faGFuZGxlIjoiNzZlMGJkNTMtNmI2Ny00MGY5LWI4YjMtZGY4ZTYyZjUwYTdlIiwicmVmcmVzaF90b2tlbl9oYXNoIjoiMzYxOTlmOGMwNTliMGFjMTZiZGQ0MDBkYTI2YWQ5ZjY2YjEwYTZmNjk0NjgxZDZhYjU0ZmI1NGZkZWUwMDE1MiIsImRldmljZV9zZWNyZXRfaGFzaCI6bnVsbCwicGFyZW50X3JlZnJlc2hfdG9rZW5faGFzaCI6IjI4MDRhZWQ0NDRlMGYwNGJkM2RiYjhkZWU3NjMzYTY3M2ZhZmIwYTU4YTk2MTU2MjY2ZGE5ZDBjMmViZTRiMjEiLCJhbnRpX2NzcmZfdG9rZW4iOiIzYjhmNTcyZWZlYjI0NTZhNTRhMTI5ZjFkOTRmYTFmZiIsImxhc3RfcmVnZW5lcmF0aW9uX3RpbWUiOjE3MTgzODc4NzQsInZlcnNpb24iOiJWMCIsInVzZXJfYXR0cmlidXRlcyI6e319.BwJdw_CrBvYqObE22ADy1ABuYyT9XPAnkHutcCjeNwmLv_QOz4TUEMJrxpFumVvsFfiEzcInt6DhctTuQCpWTtQULSmXuuCtwZ2Wcve2cEshgiYfKO-d_R8p0UL5nsIzI0woU9N4a6adJThU130Cf2yeV3PeAXhOF4I4bWvW2T4TNmT8QxU27D-HfKAp06kLZbZy5qucAdQ9sQXwCDNBCVPmfiO1VuHuhZQ8U13Snu0cSzId4_AmUtgPvrRtpneyxVAC_z0vpRFmCLT_THA4aHNyu-6fWeWB4NqHbSNQU8CA7BFIyUXNGu46SBbHmrbR3kBn3CtkNsR2q3zl0YQUfg; vagov_anti_csrf_token=3b8f572efeb2456a54a129f1d94fa1ff' \ -H 'X-CSRF-Token: bJ0PQfULWmGZxc07F5L-kWXuTak9o8dUpVcx_YwmBw5z8XpFGwmNcaysUuItv_zhC7amVRBVXoCwIv6_1p-gYQ'

[IGallupSoCo]

The above is an example request made using the previously-acquired tokens and the additional token, as supplied to me by Tervor Bosaw of the Identity Team. I have been attempting to leverage the captured X-CSRF-Token as a header, in the same way in Postman: as a header.

[IGallupSoCo]

Here's at least a partial list that Eric provided to me for endpoints that should require the X-CSRF token:

• CSRF required: OPTIONS /v0/*path(.:format) => ApplicationController#cors_preflight
• CSRF required: OPTIONS /services/*path(.:format) => ApplicationController#cors_preflight
• CSRF required: POST /v1/sessions/callback(.:format) => V1::SessionsController#saml_callback
• CSRF required: POST /v0/sign_in/refresh(.:format) => V0::SignInController#refresh
• CSRF required: POST /v0/sign_in/revoke(.:format) => V0::SignInController#revoke
• CSRF required: POST /v0/sign_in/token(.:format) => V0::SignInController#token
• CSRF required: POST /sign_in/client_configs(.:format) => SignIn::ClientConfigsController#create
• CSRF required: PATCH /sign_in/client_configs/:id(.:format) => SignIn::ClientConfigsController#update
• CSRF required: PUT /sign_in/client_configs/:id(.:format) => SignIn::ClientConfigsController#update
• CSRF required: DELETE /sign_in/client_configs/:id(.:format) => SignIn::ClientConfigsController#destroy
• CSRF required: POST /v0/onsite_notifications(.:format) => V0::OnsiteNotificationsController#create
• CSRF required: PATCH /v0/onsite_notifications/:id(.:format) => V0::OnsiteNotificationsController#update
• CSRF required: PUT /v0/onsite_notifications/:id(.:format) => V0::OnsiteNotificationsController#update
• CSRF required: PATCH /v0/in_progress_forms/:id(.:format) => V0::InProgressFormsController#update
• CSRF required: PUT /v0/in_progress_forms/:id(.:format) => V0::InProgressFormsController#update
• CSRF required: DELETE /v0/in_progress_forms/:id(.:format) => V0::InProgressFormsController#destroy
• CSRF required: PATCH /v0/disability_compensation_in_progress_forms/:id(.:format) => V0::DisabilityCompensationInProgressFormsController#update
• CSRF required: PUT /v0/disability_compensation_in_progress_forms/:id(.:format) => V0::DisabilityCompensationInProgressFormsController#update
• CSRF required: DELETE /v0/disability_compensation_in_progress_forms/:id(.:format) => V0::DisabilityCompensationInProgressFormsController#destroy
• CSRF required: POST /v0/claim_documents(.:format) => V0::ClaimDocumentsController#create
• CSRF required: POST /v0/claim_attachments(.:format) => V0::ClaimDocumentsController#create
• CSRF required: POST /v0/education_career_counseling_claims(.:format) => V0::EducationCareerCounselingClaimsController#create
• CSRF required: POST /v0/veteran_readiness_employment_claims(.:format) => V0::VeteranReadinessEmploymentClaimsController#create
• CSRF required: POST /v0/virtual_agent_token(.:format) => V0::VirtualAgentTokenController#create
• CSRF required: POST /v0/virtual_agent_token_msft(.:format) => V0::VirtualAgentTokenMsftController#create
• CSRF required: POST /v0/virtual_agent_token_nlu(.:format) => V0::VirtualAgentTokenNluController#create
• CSRF required: POST /v0/virtual_agent_jwt_token(.:format) => V0::VirtualAgentJwtTokenController#create
• CSRF required: POST /v0/virtual_agent_speech_token(.:format) => V0::VirtualAgentSpeechTokenController#create
• CSRF required: POST /v0/medical_copays/send_statement_notifications(.:format) => V0::MedicalCopaysController#send_statement_notifications
• CSRF required: POST /v0/letters/:id(.:format) => V0::LettersController#download
• CSRF required: POST /v0/letters_generator/download/:id(.:format) => V0::LettersGeneratorController#download
• CSRF required: POST /v0/disability_compensation_form/submit_all_claim(.:format) => V0::DisabilityCompensationFormsController#submit_all_claim
• CSRF required: POST /v0/mvi_users/:id(.:format) => V0::MPIUsersController#submit
• CSRF required: POST /v0/decision_review_evidence(.:format) => V0::DecisionReviewEvidencesController#create
• CSRF required: POST /v0/upload_supporting_evidence(.:format) => V0::UploadSupportingEvidencesController#create
• CSRF required: PATCH /v0/veteran_onboarding(.:format) => V0::VeteranOnboardingsController#update
• CSRF required: PUT /v0/veteran_onboarding(.:format) => V0::VeteranOnboardingsController#update
• CSRF required: POST /v0/education_benefits_claims/:form_type(.:format) => V0::EducationBenefitsClaimsController#create
• CSRF required: POST /v0/education_benefits_claims(.:format) => V0::EducationBenefitsClaimsController#create
• CSRF required: POST /v0/health_care_applications(.:format) => V0::HealthCareApplicationsController#create
• CSRF required: POST /v0/hca_attachments(.:format) => V0::HCAAttachmentsController#create
• CSRF required: POST /v0/caregivers_assistance_claims(.:format) => V0::CaregiversAssistanceClaimsController#create
• CSRF required: POST /v0/caregivers_assistance_claims/download_pdf(.:format) => V0::CaregiversAssistanceClaimsController#download_pdf
• CSRF required: POST /v0/form1010cg/attachments(.:format) => V0::Form1010cg::AttachmentsController#create
• CSRF required: POST /v0/dependents_applications(.:format) => V0::DependentsApplicationsController#create
• CSRF required: POST /v0/dependents_verifications(.:format) => V0::DependentsVerificationsController#create
• CSRF required: POST /v0/pension_claims(.:format) => V0::PensionClaimsController#create
• CSRF required: POST /v0/burial_claims(.:format) => V0::BurialClaimsController#create
• CSRF required: POST /v0/form0969(.:format) => V0::IncomeAndAssetsClaimsController#create
• CSRF required: POST /v0/benefits_claims/:id/submit5103(.:format) => V0::BenefitsClaimsController#submit5103
• CSRF required: POST /v0/benefits_claims/:benefits_claim_id/benefits_documents(.:format) => V0::BenefitsDocumentsController#create
• CSRF required: POST /v0/evss_claims/:id/request_decision(.:format) => V0::EVSSClaimsController#request_decision
• CSRF required: POST /v0/evss_claims/:evss_claim_id/documents(.:format) => V0::DocumentsController#create
• CSRF required: POST /v0/intent_to_file/:type(.:format) => V0::IntentToFilesController#submit
• CSRF required: PUT /v0/ppiu/payment_information(.:format) => V0::PPIUController#update
• CSRF required: PATCH /v0/prescriptions/:id/refill(.:format) => V0::PrescriptionsController#refill
• CSRF required: PATCH /v0/prescriptions/preferences(.:format) => V0::PrescriptionPreferencesController#update
• CSRF required: PUT /v0/prescriptions/preferences(.:format) => V0::PrescriptionPreferencesController#update
• CSRF required: POST /v0/health_records(.:format) => V0::HealthRecordsController#create
• CSRF required: POST /v0/higher_level_reviews(.:format) => V0::HigherLevelReviewsController#create
• CSRF required: POST /v0/notice_of_disagreements(.:format) => V0::NoticeOfDisagreementsController#create
• CSRF required: POST /v0/messaging/health/folders(.:format) => V0::FoldersController#create
• CSRF required: DELETE /v0/messaging/health/folders/:id(.:format) => V0::FoldersController#destroy
• CSRF required: PATCH /v0/messaging/health/messages/:id/move(.:format) => V0::MessagesController#move
• CSRF required: POST /v0/messaging/health/messages/:id/reply(.:format) => V0::MessagesController#reply
• CSRF required: POST /v0/messaging/health/messages(.:format) => V0::MessagesController#create
• CSRF required: DELETE /v0/messaging/health/messages/:id(.:format) => V0::MessagesController#destroy
• CSRF required: POST /v0/messaging/health/message_drafts/:reply_id/replydraft(.:format) => V0::MessageDraftsController#create_reply_draft
• CSRF required: PUT /v0/messaging/health/message_drafts/:reply_id/replydraft/:draft_id(.:format) => V0::MessageDraftsController#update_reply_draft
• CSRF required: POST /v0/messaging/health/message_drafts(.:format) => V0::MessageDraftsController#create
• CSRF required: PATCH /v0/messaging/health/message_drafts/:id(.:format) => V0::MessageDraftsController#update
• CSRF required: PUT /v0/messaging/health/message_drafts/:id(.:format) => V0::MessageDraftsController#update
• CSRF required: PATCH /v0/messaging/health/preferences(.:format) => V0::MessagingPreferencesController#update
• CSRF required: PUT /v0/messaging/health/preferences(.:format) => V0::MessagingPreferencesController#update
• CSRF required: POST /v0/id_card/announcement_subscription(.:format) => V0::IdCardAnnouncementSubscriptionController#create
• CSRF required: POST /v0/mdot/supplies(.:format) => V0::MDOT::SuppliesController#create
• CSRF required: POST /v0/preneeds/burial_forms(.:format) => V0::Preneeds::BurialFormsController#create
• CSRF required: POST /v0/preneeds/preneed_attachments(.:format) => V0::Preneeds::PreneedAttachmentsController#create
• CSRF required: POST /v0/gi_bill_feedbacks(.:format) => V0::GIBillFeedbacksController#create
• CSRF required: DELETE /v0/profile/connected_applications/:id(.:format) => V0::Profile::ConnectedApplicationsController#destroy
• CSRF required: PATCH /v0/profile/direct_deposits(.:format) => V0::Profile::DirectDepositsController#update
• CSRF required: PUT /v0/profile/direct_deposits(.:format) => V0::Profile::DirectDepositsController#update
• CSRF required: PATCH /v0/profile/direct_deposits/disability_compensations(.:format) => V0::Profile::DirectDeposits::DisabilityCompensationsController#update
• CSRF required: PUT /v0/profile/direct_deposits/disability_compensations(.:format) => V0::Profile::DirectDeposits::DisabilityCompensationsController#update
• CSRF required: POST /v0/profile/addresses/create_or_update(.:format) => V0::Profile::AddressesController#create_or_update
• CSRF required: PATCH /v0/profile/addresses(.:format) => V0::Profile::AddressesController#update
• CSRF required: PUT /v0/profile/addresses(.:format) => V0::Profile::AddressesController#update
• CSRF required: DELETE /v0/profile/addresses(.:format) => V0::Profile::AddressesController#destroy
• CSRF required: POST /v0/profile/addresses(.:format) => V0::Profile::AddressesController#create
• CSRF required: POST /v0/profile/email_addresses/create_or_update(.:format) => V0::Profile::EmailAddressesController#create_or_update
• CSRF required: PATCH /v0/profile/email_addresses(.:format) => V0::Profile::EmailAddressesController#update
• CSRF required: PUT /v0/profile/email_addresses(.:format) => V0::Profile::EmailAddressesController#update
• CSRF required: DELETE /v0/profile/email_addresses(.:format) => V0::Profile::EmailAddressesController#destroy
• CSRF required: POST /v0/profile/email_addresses(.:format) => V0::Profile::EmailAddressesController#create
• CSRF required: POST /v0/profile/telephones/create_or_update(.:format) => V0::Profile::TelephonesController#create_or_update
• CSRF required: PATCH /v0/profile/telephones(.:format) => V0::Profile::TelephonesController#update
• CSRF required: PUT /v0/profile/telephones(.:format) => V0::Profile::TelephonesController#update
• CSRF required: DELETE /v0/profile/telephones(.:format) => V0::Profile::TelephonesController#destroy
• CSRF required: POST /v0/profile/telephones(.:format) => V0::Profile::TelephonesController#create
• CSRF required: POST /v0/profile/permissions/create_or_update(.:format) => V0::Profile::PermissionsController#create_or_update
• CSRF required: PATCH /v0/profile/permissions(.:format) => V0::Profile::PermissionsController#update
• CSRF required: PUT /v0/profile/permissions(.:format) => V0::Profile::PermissionsController#update
• CSRF required: DELETE /v0/profile/permissions(.:format) => V0::Profile::PermissionsController#destroy
• CSRF required: POST /v0/profile/permissions(.:format) => V0::Profile::PermissionsController#create
• CSRF required: POST /v0/profile/address_validation(.:format) => V0::Profile::AddressValidationController#create
• CSRF required: POST /v0/profile/initialize_vet360_id(.:format) => V0::Profile::PersonsController#initialize_vet360_id
• CSRF required: POST /v0/profile/communication_preferences(.:format) => V0::Profile::CommunicationPreferencesController#create
• CSRF required: PATCH /v0/profile/communication_preferences/:id(.:format) => V0::Profile::CommunicationPreferencesController#update
• CSRF required: PUT /v0/profile/communication_preferences/:id(.:format) => V0::Profile::CommunicationPreferencesController#update
• CSRF required: PUT /v0/profile/ch33_bank_accounts(.:format) => V0::Profile::Ch33BankAccountsController#update
• CSRF required: PATCH /v0/profile/gender_identities(.:format) => V0::Profile::GenderIdentitiesController#update
• CSRF required: PUT /v0/profile/gender_identities(.:format) => V0::Profile::GenderIdentitiesController#update
• CSRF required: PATCH /v0/profile/preferred_names(.:format) => V0::Profile::PreferredNamesController#update
• CSRF required: PUT /v0/profile/preferred_names(.:format) => V0::Profile::PreferredNamesController#update
• CSRF required: POST /v0/account_controls/credential_lock(.:format) => V0::AccountControlsController#credential_lock
• CSRF required: POST /v0/account_controls/credential_unlock(.:format) => V0::AccountControlsController#credential_unlock
• CSRF required: POST /v0/search_click_tracking(.:format) => V0::SearchClickTrackingController#create

[pjhill]

We are currently expecting this effort to need to continue into the next sprint.

[JoeTice]

SPRINT 4 UPDATE - IN PROGRESS - The troubleshooting of endpoint issues that are being encountered are turning out to be more involved than expected to resolve. This work will continue into next sprint as @IGallupSoCo moves onto support, and @pjhill takes over the primary focus on this role. We expect to be able to close out this ticket, and will likely create more focused tickets to deal with specific issues being encountered here.

[JoeTice]

SPRINT 5 UPDATE - This task was deprioritized in Sprint 5