I’m trying to create a community type web app that allows people to track parcels. One of the courier companies has their tracking API quite visible when you inspect the “Track” button.
It’s an HTML form using a POST call. I’ve tried copying the relevant fields and making my own API call using the API Connector, however, I receive the following error:
Raw response for the API **
Status code 419
** “message”: "CSRF token mismatch."
From reading up, I understand this is a cookie related issue?
Does anyone know how one would get around this? It is publicly available information, so it’s not as though there’s secret authentication needed as anyone can go on their site and search for any waybill number. I’m just replicating the search somewhere else for convenience.
The page where you can access the code is: Collivery.net - Tracking - Show - Your one click courier company
And you’re welcome to use this waybill number as an example to test: 6224455
I don’t know what the CSRF is, but the Token mismatch to me indicates they have a token which is sort of like a password, and you may not be providing a token that matches to your account with them.
This is out of my wheelhouse as well but there is more going on in the header in the from of a script that is actually sending that request–it’s more than just an open POST call. You can see where the CSRF token is getting used. This can probably be further reverse engineered but it’s more than just the HTML form.
The CSRF token is there exactly to prevent you from doing what you are trying to do.
Usually the token is generated by the server for every request or session and is used to validate the POST request that you are trying to do.
You can find detailed explainations with a search on google.
It’s clear that the owner of the service does not want to allow requests outside that specific website. You should try to see if they have a public API instead.
The API you’re trying to access, @avolaunch, is documented here: API Reference
No need to hack them.
Thank you everyone for feedback.
I do have an account with them and therefore have my own API credentials to use with the API docs, but when I last tried using the tracking API call, it only allowed me to track parcels from my own account, not general waybills.
But as Murphy’s Law would have it, especailly after posting this for all of you to see, I tried the API call again using another random waybill and it worked fine. Really didn’t want to look like I was taking a ‘hack’-like approach, but it seemed strange given that I have access to the credentials - turned out it was just bad testing on my side…
Thanks again for all your input