Hi AppGyver team, I've posted this issue in SAP forum also but no answer yet so I'm reporting here as well.
App ID:
96175(SAP AppGyver in BTP)
My Appgyver app is using BTP authentication to fetch OData(user info) from backend OData setup as BTP destination.
The app is successfully fetching the user info and displaying it as list on the first page of App so BTP authentication is working for retrieving data.
Now, I've added user creation page and when the app calls "Create record" flow function for the OData, it returns "CSRF token validation failed" in the browser.
My OData accepts POST method to update the backend data source and I've tested it in the BTP ABAP environment, so it shouldn't be the problem of OData itself.
So is there a missing setting on my end or is this an issue in AppGyver side?
My understanding is that whenever POST method is called towards SAP webservice, csrf-token is required.
Therefore first HEAD/GET method should be called to fetch csrf-token and then pass the token on the POST request header.
I have feeling that AppGyver BTP authentication is not considering fetching csrf-token beforehand.
To reproduce:
  1. In the first page, click Create button above the list fetched from the OData.
  2. Enter data to be created. For example: First Name='App, Last Name='Gyver', Valid from='2022-07-13', Valid to='2023-08-13'
  3. Click on Submit button. Now Create record function runs and POST method is called.
Expected behavior:
The POST method should succeed and the data should be created in the backend.
This POST method fails with error status 403 and response "CSRF token validation failed".