[RESOLVED] Log in to web Data with User and Password

[Adie]

Hi
*** TOTALLY NEWBIE WRT ALL THINGS INTERNET ***

Using Lazarus 4.4 and WIN11Pro

I need to log in to SAP S/4 HANA to retreive data via their API

****** BUT i can not even log in to the site below with given User and Passw. *****

  URL  := 'https://practicetestautomation.com/practice-test-login/';
  User := 'student';
  Pass := 'Password123';

The sample site give info to test but I do not get ANY relevant response. 

I tried more than 10 samples in this forum and other without success.

Any help would be appreciated.

Adie

[Adie]

OK, I can log in to the web page but get this error

"CSRF token is missing"

** Code Snippet **

Code: Pascal  [Select][+][-]

1.   // Initialize SSL if using HTTPS
2.   InitSSLInterface;
3.   HTTP := TFPHTTPClient.Create(nil);
4.   try
5.     // Enable redirects to maintain session
6.     HTTP.AllowRedirect  := True;
7.     HTTP.KeepConnection := True;
8. //    HTTP.Cookies.Add('session_id=12345');
9.  
10.     FormData := TStringList.Create;
11.     try
12.       FormData.Values['sap-alias'] := Username;
13.       FormData.Values['sap-password'] := Password;
14.  
15.       // Add any other required fields (e.g., anti-CSRF token if present)
16. >> not working      FormData.Values['CSRF-token'] := 'a7b8c9d0e1f2g3h4i5j6k7l8m9n0o1p2'; // <======== Not working ??
17.  
18.       Response := TStringStream.Create('');
19.       try
20.         // Send the POST request
21.         HTTP.FormPost(TargetURL, FormData, Response);
22. ShowMessage( HTTP.Connected.ToInteger.ToString);
23. ShowMessage( HTTP.RequestHeaders.Text);
24.         // You can read the response content from the Response stream if needed
25.         ShowMessage( Response.DataString);
26.  
27.       finally
28.         Response.Free;
29.       end;
30.     finally
31.       FormData.Free;
32.     end;
33.   finally
34.     HTTP.Free;
35.   end;
36.  

[paweld]

The login code on this page is written in JS and does not retrieve data sent using the POST method, only data from form controls. The easiest way is to use Selenium: https://forum.lazarus.freepascal.org/index.php/topic,50082.msg364923. html#msg364923 or display the page using CEF4Delphi ( https://github.com/salvadordf/CEF4Delphi ) and retrieve the login result.

[rvk]

I'm not sure what you are trying to do.
If you look at the source... when you type in username and password and submit, a small js is run and if entered correctly the page is redirected to https://practicetestautomation.com/logged-in-successfully.

So why not just directly load https://practicetestautomation.com/logged-in-successfully ????
There is actually not a real login on that site, just a check for username and password and a redirect.

If you have another REAL site, give us that URL so we can check its login method.
Usually when doing a real login you need to investigate the cookies and return values and pass that on to any other pages you retrieve.
(also for the missing CSRF token)
So you just taken a bad site as example for your login attempts (there are a lot of different login methods used on the web).

Code: Javascript  [Select][+][-]

1. <script>
2.                 document.addEventListener("DOMContentLoaded", function () {
3.                         const username = document.querySelector("#username"),
4.                                 password = document.querySelector("#password"),
5.                                 submit = document.querySelector("#submit"),
6.                                 error = document.querySelector("#error");
7.  
8.                         submit.addEventListener("click", function () {
9.                                 let us_name = username.value,
10.                                         us_pass = password.value;
11.  
12.                                 if(us_name == "student" && us_pass == "Password123"){
13.                                         window.location.href = "https://practicetestautomation.com/logged-in-successfully";
14.                                 }else if(us_name == "student" && us_pass != "Password123"){
15.                                         error.innerHTML = "Your password is invalid!";
16.                                         error.classList.add("show");
17.                                         username.value = "";
18.                                         password.value = "";
19.                                 }else{
20.                                         error.innerHTML = "Your username is invalid!";
21.                                         error.classList.add("show");
22.                                         username.value = "";
23.                                         password.value = "";
24.                                 }
25.                         })
26.                 })
27.         </script>

[Adie]

Thanks
I was under the impression this webpage will allow testing of 'application' login. 

The test is now directly on the SAP S/4 HANA SITE.

In the meantime I did the following where I can 'retreive'  the Cookies and use HTTP.FormPost(TargetURL, FormData, Response) to log in.  I then get a "CSRF token is missing"  error.

Code: Pascal  [Select][+][-]

1.   InitSSLInterface;                                     // Initialize SSL if using HTTPS
2.   HTTP := TFPHTTPClient.Create(nil);
3.   try
4.     // Enable redirects to maintain session
5.     HTTP.AllowRedirect  := True;
6.     HTTP.KeepConnection := True;
7.  
8.     FormData := TStringList.Create;
9.     FormData.Values['sap-alias']    := Username;
10.     FormData.Values['sap-password'] := Password;
11.     // Add any other required fields (e.g., anti-CSRF token if present)
12.  
13.     try
14.       Response := TStringStream.Create('');
15.       try
16.         HTTP.Get('https://my430346-api.s4hana.cloud.sap');   // Get the Cookies
17.         ShowMessage( HTTP.ResponseHeaders.Text);
18.  
19.         cCookies.Text := HTTP.Cookies.Text;    // I protect the Cookies as the 'vanish' after POST
20.         // Send the POST request
21.         HTTP.FormPost(TargetURL, FormData, Response);
22.         // You can read the response content from the Response stream if needed
23.         ShowMessage( 'Response ' + Response.DataString);
24.       finally
25.         Response.Free;
26.       end;
27.     finally
28.       FormData.Free;
29.     end;
30.   finally
31.     HTTP.Free;
32.   end;
33.   cCookies.Free;
34.  

The following is the response I receive

Code: Text  [Select][+][-]

1. ***** Header *****
2.  
3. content-type: text/html; charset=utf-8
4. content-length: 8565
5. sap-authenticated: false
6. content-security-policy: default-src 'self'
7. sap-err-id: ICFLOGONREQUIRED
8. expires: 0
9. pragma: no-cache, no-store, private
10. cache-control: no-cache, no-store, private
11. origin-agent-cluster: ?0
12. sap-server: true
13. sap-perf-fesrec: 43239.000000
14. set-cookie: sap-login-XSRF_BVR=20260206095842-QHSUFNOq8JAd_lOsi2XbNQ%3d%3d; path=/; secure; HttpOnly; SameSite=None
15. set-cookie: sap-usercontext=sap-client=100; path=/; SameSite=None; secure
16. x-content-type-options: nosniff
17. strict-transport-security: max-age=31536000; includeSubDomains
18. x-xss-protection: 1; mode=block
19. sap-passport-component: none
20.  
21. ***** Cookies *****
22. sap-login-XSRF_BVR=20260206095842-QHSUFNOq8JAd_lOsi2XbNQ%3d%3d
23. path=/
24. secure
25. HttpOnly
26. SameSite=None
27. sap-usercontext=sap-client=100
28. path=/
29. SameSite=None
30. secure
31.  
32. ****** Result ******
33. {"error":{"code":"/IWBEP/CM_V4H_RUN/043","message":"CSRF token is missing","@SAP__common.ExceptionCategory":"CSRF_Token_Missing"}}
34.  

I am basically at the point where I think EITHER the cookie name is WRONG based on the error
OR
The HTTP.FormPost(TargetURL, FormData, Response) is not sending the cookie.

I also tried to include the Cookie in the HEADER but still no luck.

In the meantime I signed up to SAP in order to see if the Cookie 'name' is incorrect and ALSO ran an online test app to see what the name on the webserver actually is.
Use this url 'https://my430346-api.s4hana.cloud.sap'   // Get the Cookies directly via Brave .

At this point I want to test a site where the Cookie will 'work'

Thanks
Adie

[rvk]

Code: Pascal  [Select][+][-]

1.     FormData := TStringList.Create;
2.     FormData.Values['sap-alias']    := Username;
3.     FormData.Values['sap-password'] := Password;
4.     // Add any other required fields (e.g., anti-CSRF token if present)
5.  

So what other FormData did you pass?????

When I press F12 in the browser and look at what actually is posted to the "ui" page, it looks like this as FormData:

sap-system-login-oninputprocessing=onLogin&sap-urlscheme=&sap-system-login=basic_auth&sap-system-login-basic_auth=X&sap-accessibility=&sap-login-XSRF=D8gz0HSiHkoMVgkwfjLP5Lu_PxFqSmZTJ9imjvP2ggk%3D&sap-system-login-cookie_disabled=&sap-hash=&sap-alias=test&sap-password=test&sap-client=100&sap-language=NL

You only passes sap-alias and sap-password. But you also need to pass sap-login-XSRF and maybe some of those others.
You need to test yourself which you are really required to pass.
But for example... that sap-login-XSRF... When you go to my430346-api.s4hana.cloud.sap you are redirected to my430346-api.s4hana.cloud.sap/ui
There you get a cookie with sap-login-XSRF_BVR with a value.
sap-login-XSRF_BVR=20260206132203-XVcdnafVmF9foR5v-b8ULw%3d%3d; path=/; secure; HttpOnly; SameSite=None
You need to pass that value on in the FormData as seen in the example above.
(although I'm not sure why they don't match for me... but try it yourself... I don't have valid credentials.)

You can read about CXRF/XSRF here:
https://help.sap.com/docs/SAP_IDENTITY_MANAGEMENT/e56f59e67af44098833719150c3ab8b7/5d0d3f157a1a4ee7b12d963251a21453.html?locale=en-US

BTW. Here you see some code how to login into SAP systems:
https://community.sap.com/t5/enterprise-resource-planning-blog-posts-by-sap/how-to-login-to-an-sap-business-bydesign-system-with-javascript/bc-p/13322954/highlight/true

You see that indeed only sap-alias, sap-password and sap-login-XSRF is needed. So you are only missing that sap-login-XSRF.
You can see in the code there how to retrieve it.

[rvk]

The XSRF you need to pass is even in the form data on the "ui" login screen where you get redirected:

Code: Text  [Select][+][-]

1. <div id="LOGIN_SHADOW_FORM" hidden="hidden" class="loginDisplayNone">
2.                 <input type="hidden" name="sap-system-login-oninputprocessing" value="onLogin">
3.                 <input type="hidden" name="sap-urlscheme" value="">
4.                 <input type="hidden" name="sap-system-login" value="basic_auth">
5.                 <input type="hidden" name="sap-system-login-basic_auth" value="X">
6.                 <input type="hidden" name="sap-accessibility" value="">
7.                 <input type="hidden" name="sap-login-XSRF" value="uU_BXBVfacSVDa2qOwO3ZvtRDeelnYf4xhndySFYaHw&#x3d;">
8.                 <input type="hidden" name="sap-system-login-cookie_disabled" value="">
9.                 <input type="hidden" name="sap-hash" value="">
10.                 <div id="USERNAME_BLOCK" class="loginInput sapUiLightestBG">
11.                     <label id="USERNAME_LABEL" for="USERNAME_FIELD-inner" class="loginHiddenAccessible"

[Adie]

@rvk
**snip above**
I also tried to include the Cookie in the formdata but still no luck.

I even 'pasted' YOUR 'sap-login' in BOTH cookies and FormData and got the same error.  I expected an error like 'INVALID' but not 'MISSING' 

I also CLEARED the TFPHTTPClient.Cookies  to prevent duplicates.

I also passed only the '20260206132203-XVcdnafVmF9foR5v-b8ULw%3d%3d' portion or the WHOLE sentence still same issue.

I did notice that the %3d%3d are sometimes replaced with ==  I would imagine that it would be WRONG not missing

** Reply on your post **
Line 7 now suddenly end with a ;
The name is now different again: sap-login-XSRF   instead of  sap-login-XSRF_BVR


Thanks,

It is gonna be a busy weekend.

Adie

[rvk]

The sap-login-XSRF_BVR is passed on as cookie (same as that you get that cooke).
The sap-login-XSRF is a field that's in the ui login page you get redirected to.
So you need to GET that ui page and extract the sap-login-XSRF value and pass it in your FormData together with sap-alias and sap-password.

[Adie]

**** ISSUE RESLOVED ****

The solution was simple: ONLY USE THE http.GET(...)

Code: Pascal  [Select][+][-]

1. procedure TForm1.btnLoginClick(Sender: TObject);
2. var
3.   HTTP: TFPHTTPClient;
4.   Username : string;
5.   Password : string;
6.   TargetURL: string;
7.   Get_URL  : string;
8.   cGetResult : string;
9.  
10.   cSaveList: TStringlist;    // For Save to TXT
11.  
12. begin
13.   TargetURL := 'https://xxxxx-api.s4hana.cloud.sap/sap/opu/odata4/sap/........
14.  Get_URL   := 'https://xxxxx-api.s4hana.cloud.sap/ui';
15.   Username  := 'MyUser';
16.   Password  := 'MyPassw';
17.  
18.   InitSSLInterface;                                     // Initialize SSL if using HTTPS
19.   HTTP := TFPHTTPClient.Create(nil);
20.  
21.   // Enable redirects to maintain session
22.   HTTP.AllowRedirect  := True;
23.   HTTP.KeepConnection := True;
24.  
25.   // Load the User Pass in GET
26.   HTTP.UserName := Username;    //<=================== Give this to GET
27.   HTTP.Password := Password;
28.  
29.   try
30.     cGetResult :=  HTTP.Get(Get_URL);           // Log in to site
31.     HtmlViewer1.LoadFromString( cGetResult );
32.  
33. // We need to test if Fail to Log on          <<=========== TO DO
34.  
35.     cGetResult := HTTP.Get(TargetURL);
36.     HtmlViewer1.LoadFromString( cGetResult );   //<<=========== display in 'Browser
37.  
38. // Allow to Save result
39. //cSaveList      := TStringlist.Create;                      // we need to protect the Cookies
40. //cSaveList.Text := cGetResult;
41. //cSaveList.SaveToFile( 'API_SalesOrders Active.TXT' );
42. //cSaveList.Free;
43.  
44.   finally
45.     HTTP.Free;
46.   end;
47. end;
48.  

[rvk]

**** ISSUE RESLOVED ****

The solution was simple: ONLY USE THE http.GET(...)

In that case the API doesn't even need the sap-login-XSRF.
Just username:password@url is sufficient (which is what the Get() internally does).

Only for faking (browser) user login via login page the sap-login-XSRF is needed.

Glad you got it working