search

postmanlabs / postman-app-support

Postman is an API platform for building and using APIs. Postman simplifies each step of the API lifecycle and streamlines collaboration so you can create better APIs—faster.
https://www.postman.com
5.86k stars 840 forks source link

Cannot read cookies since Postman v8 (working when forcing the sub domain) #9628

Open ZekLouis opened 3 years ago

ZekLouis commented 3 years ago

Describe the Issue

With Postman v8 we're not able to get cookie from the response in the "Tests" script meanwhile we could before. In our case, we are calling an endpoint called "csrf-cookie" to get a csrf token and put it as an ENV variable. We didn't change anything on our side and now it's not working. We got an error There was an error in evaluating the test script: TypeError: Cannot read property 'value' of undefined. We tried at the same time with people using the v7 of Postman, and we didn't have any problems but everybody with the v8 seems to encounter the problem. Maybe there was a change with the v8 we didn't notice.

Screenshots or Videos

Here you can see in the Tests script we are getting the XSRF-TOKEN cookie and we get the error mentionned above. image

Here is the error we have image

https://user-images.githubusercontent.com/18212301/108335917-c578d280-71d3-11eb-9cbd-b6c5c5a28408.mp4

Environment Information

Additional Context

Everybody with the v8 in our team encounter the issue.

It looks like it might be linked with : https://github.com/postmanlabs/postman-app-support/issues/9541

SebastianJust commented 3 years ago

Hi, I've expired the same issue with OAuth 2.0: https://github.com/postmanlabs/postman-app-support/issues/9629

DannyDainton commented 3 years ago

Hey @ZekLouis

That looks like it's returned in the response header and you have the older sandbox syntax there, will this work for you?

let cookie = pm.response.headers.get('set-cookie')

console.log(cookie)

Screenshot 2021-02-18 at 11 32 38

ZekLouis commented 3 years ago

Hey @DannyDainton,

It could work but we have multiple "set-cookie" headers and using your method I won't get the one I need. It looks like the header SetCookie is not setting any cookie into postman.

GennadiiSvichinskyi commented 3 years ago

the same issue. My pre-script tries to authorize via https://login.microsoftonline.com/ with Authoriztion_Code flow. Before update it worked perfectly. But now I've got an error image It seems that something is wrong with cookies

SebastianJust commented 3 years ago

the same issue. My pre-script tries to authorize via https://login.microsoftonline.com/ with Authoriztion_Code flow. Before update it worked perfectly. But now I've got an error image It seems that something is wrong with cookies

@GennadiiSvichinskyi for a work around you can use interceptor: https://github.com/postmanlabs/postman-app-support/issues/9629

ZekLouis commented 3 years ago

Hey @DannyDainton,

Any news on this ?

appurva21 commented 3 years ago

Hey @ZekLouis !

This is what I tried and it worked fine for me:

Could you please share some more details about the Request that you are making or the Set-Cookie header's value, which might help us in reproducing this at our end?

ZekLouis commented 3 years ago

Hey !

Sure will try to explain what we are trying to achieve.

So we have an API on the sub domain api.ourproject.com And we will have our frontend React app on ourproject.com.

Our api is configured to have the session domain on ourproject.com To log in, we call the xsrf-cookie endpoint to get the CSRF Token and pass it in the headers to log in. We are not able to read the cookie returned by this endpoint with the configuration we want.

It IS working if we set the referer as api.ourproject.com and the session domain as api.ourproject.com It IS NOT working if we set the referer as ourproject.com and the session domain as ourproject.com (and this is the entended setup for our app).

When it's not working we get the Cannot read property 'value' of undefined error when we call postman.getResponseCookie("XSRF-TOKEN").value but it's perfectly working with the same script in the other configuration.

Just to add, we're all facing this issue in our team and we didn't have this issue before upgrading to the v8.

Working case (not what we want 😄 , always be working): Referer : api.ourproject.com Session Domain : api.ourproject.com Calling : http://api.ourproject.com/api/csrf-cookie image

Not working case (what we want 😄 , was working before v8): Referer : ourproject.com Session Domain : ourproject.com Calling : http://api.ourproject.com/api/csrf-cookie image

Tell me if it's not clear or I could provide something else which could help ! :)

codenirvana commented 3 years ago

@ZekLouis Thanks for the detailed explanation, I understood your use cases.

But I am still not able to reproduce this issue locally, can you please clarify the following doubts:

  1. What's Referer here?
  2. Can you share the complete Set-Cookie string e.g, XSRF-TOKEN=<token>; Domain=...?
  3. Is this issue only with postman.getResponseCookie or, cookies are missing from the Cookie modal as well?

I am assuming the issue here is, calling http://api.ourproject.com/api/csrf-cookie responds with an XSRF-TOKEN cookie with Domain=ourproject.com and it's not getting saved and hence unavailable in postman.getResponseCookie.

ZekLouis commented 3 years ago

Hey, thanks for you reply !

  1. The referer is the header value we are passing as "Referer" for our framework. So the request goes with the header Referer: ourproject.com our Authentication system need it

  2. Yup sure, there you go XSRF-TOKEN=eyJpdiI6Inl3czlwNjJpaDZFWXlvUk12bEFwb1E9PSIsInZhbHVlIjoiQTEzTWJIS1doMkZ5cEtZdzZmYUdYcW9lODRxekdMdEUyZVRERFVSeVBOL0YvWk53WGlML1lFeEtncFNNdEVUS25lZXNaZWZMZ3h1S0VlQnNzR2JhSll4NEFORkZibFMyTElJT0haVW53VS9DdWdrWFY4TlNMcjlWaEZPMXRoWTgiLCJtYWMiOiJjYzAxOTEyYTE2MzNlNzRiYjc3MTNiMzJjOTc0MDAwYmQ1YzVlNGM4MzZkMTMzYzUzNDAzZGM3ZmE5OWFjMzEyIn0%3D; expires=Thu, 04-Mar-2021 12:17:41 GMT; Max-Age=7200; path=/; domain=ourproject.com; samesite=lax

  3. The issue is only with postman.getResponseCookie Cookies are in the modal on ourproject.com

I think that it could be the problem yes, but it was working before v8. And this behavior is gonna be the one we'll have for our production :)

codenirvana commented 3 years ago

The issue is only with postman.getResponseCookie Cookies are in the modal on ourproject.com

It's possible that those are previously-stored cookies, you can verify this by clearing all the cookies for ourproject.com and sending the CSRF request again. Because, in the second screenshot you shared, I see no cookies in the Cookies tab.

Based on the cookie string you provided, I tried reproducing the issue locally but, no luck. Once you verify that cookies for http://api.ourproject.com/api/csrf-cookie request with Session Domain : ourproject.com are not getting stored, can you share a publicly accessible endpoint which we can use to reproduce this issue?

If you can't share it here, can you share it at help@postman.com (mention this GitHub issue)?

ZekLouis commented 3 years ago

I always tried to clear my cookies before calling my endpoint. Here is a video to explain what I'm doing :

https://user-images.githubusercontent.com/18212301/110297772-1ff79880-7ff4-11eb-8a67-26f05a2754b8.mp4

I'm sorry but we don't have anything public yet :( For information, we are using Laravel 8.29.0 (with Sanctum) for our API.

codenirvana commented 3 years ago

@ZekLouis Thanks for sharing the screen-recording but I am still not able to reproduce this issue with my local setup. 🤦

Is it possible to share a testing endpoint or a Postman Mock with a similar behavior?

andreaneri commented 3 years ago

@codenirvana since i updated to release 8, my issue it is similar, i'm calling an endpoint who return a cookie response-header like: IDM=ABCD1234; Path=/; Domain=app.mydomain.local; Expires=Fri, 02 Apr 2021 21:50:41 GMT; Max-Age=28800; HttpOnly; SameSite=None

the cookie is not added to tab cookies, so it doesnt sent in the next requests...

codenirvana commented 3 years ago

@andreaneri Can you share a scaled-down collection (or public API/local server) that we can use to reproduce this issue?

andreaneri commented 3 years ago

@andreaneri Can you share a scaled-down collection (or public API/local server) that we can use to reproduce this issue?

i solved changing top-level-domain from "local" to "it", is it related ? thanks

CannibalVox commented 3 years ago

Same issue, request is to:

https://api.mari.one/tte/accounts/login Response header: Set-Cookie: MarionetteSession=1CF9CB9C56A8450FB7DD97FD6D699B9A; Path=/session; Domain=mari.one; HttpOnly; Secure; SameSite=Lax

Request domain is determined by variable which I know has been a problem in the past.

Cookie is not showing up in cookie jar or anything else. "Disable Cookie Jar" is off.

I don't really wanna open the workspace or collection but I suppose I could add you to it?

CannibalVox commented 3 years ago

Bah, the path was wrong, it's right there in my reply. Sorry!

DannyDainton commented 2 years ago

@ZekLouis Is this still an issue for you? If so could you provide the information that @codenirvana was asking for in order to recreate the issue locally?

Without that, it's going to be difficult to move this forward. :(