grubthomas's avatar

Getting 419 error message during a Laravel-built load test

Dear Community,

My main task would be to test the login process in a Laravel-built web app. I am quite new to Laravel, k6, and load testing, (as I am not a developer) I could not figure out why I am getting a 419 error message saying '“status”:419,“status_text”:“419 unknown status”' while pushing a request through k6. I hope somebody can help me out with this issue.

So my script looks like the following:

The first request:

import { parseHTML } from 'k6/html';

import { sleep, group, check } from "k6";

import http from 'k6/http'

export const options = {}

export default function main() {

let response let token

group('page_1 - WEBSITELINK, function () {

response = http.get('WEBSITELINK', {

  headers: {

    host: 'localhost:81',

    'user-agent':

      'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0',

    accept:
      'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',

    'accept-language': 'en-US,en;q=0.5',

    'accept-encoding': 'gzip, deflate, br',

    connection: 'keep-alive',

    cookie:

      'XSRF TOKEN=eyJpdiI6InY5ckZiaGdFTkI4Q0YyRi8rdmtyNUE9PSIsInZhbHVlIjoiT0NjZXlWWVBubTE5Zjh6cXBmNmZFWTdZKzBjVXlEOGhheGR0aVUybURSSGRZbEFmQ0N2RW5BQ3pOYzBQUXgweXhUaGNpRDhrcTV5SHBJUkEvU0FYTmN3eCswYTFsVnhQdk8wL1dkeHMvOTNXRTU4dnk2WjJ0QWFCSWdyQzEwQkwiLCJtYWMiOiIyODI1YmFkMDI1MzlkOGY4ODEyMDg4YWU5M2I5MWE3NmI3Yjg2ODczYTBkMzhhNmZiZTU5ODNlZDBjOGViNWIzIn0%3D;

dev_session=eyJpdiI6ImNGalhPQW9GTWlYLzdsaEg1Qk0zdnc9PSIsInZhbHVlIjoiVU5jQ21OZmkyUDVnUmd2WUxUc3Z5dWhRbzBJTm1HWFhmQ1RuNzdFaEpRb1IzdVlIa1VhUkNXYTBlc2IxMHRMajl6UTAzYmFVTHZheEdTV2RrYU84d3pmdEUxYUlkaVFFT3J5YUVWSE1wVklRektqemVmbjhmK3hLWHo2ZmlMYlgiLCJtYWMiOiI3MTQ2ODg0Yjk4YjhhNjg2Yzg1YjllZjdmMWMyNzVkY2ZmNGM1NjAzYWUyN2NlMmE0ZjAwOTAyNWMwNGI2YmM2In0%3D',

    'upgrade-insecure-requests': '1',

    'sec-fetch-dest': 'document',

    'sec-fetch-mode': 'navigate',

    'sec-fetch-site': 'none',

    'sec-fetch-user': '?1',

    'sec-gpc': '1',
  }, 
})

// Query the HTML for an input field named "_token". let elem = response.html().find('input[name=_token]');

// Get the value of the attribute "value" and save it to a variable token = elem.attr('value');

// Now you can concatenate this extracted value in subsequent requests that require it.

// console.log() works when executing k6 scripts locally and is handy for debugging purposes console.log('The value of the hidden field is: ' + token);

check(response, {

  list_OK: (r) => r.status === 200,

});

})

The second request:

group('page_2 - WEBSITELINK/customlogin', function () {

	const url = 'WEBSITELINK/customlogin';

    const payload = JSON.stringify({

 email: 'user',

password: '123456789',

_token: ${token},

});

const params = {

headers: {

	'Content-Type': 'application/json',

  host: 'localhost:81',

      'user-agent':

        'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0',

      accept:

        'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',

      'accept-language': 'en-US,en;q=0.5',

      'accept-encoding': 'gzip, deflate, br',

      'content-type': 'application/x-www-form-urlencoded',

      origin: 'WEBSITELINK',

      connection: 'keep-alive',

      referer: 'WEBSITELINK',

      cookie:

        'XSRF-TOKEN=eyJpdiI6ImlnZFZCUGF1b1FYUlJOdTJHNDd2Vnc9PSIsInZhbHVlIjoiTXhhdnZyQzlPamRFQ21rajdQVEZXcThzWittZndqU2d1L0hyN1BmRTA2a2RBbEpYZUhIUlRpWjh1RWJoQ1Y5dWJoTWVnaXEzZ1NVTjBndG1tenUyN2phY1lMdkIxSzBGek5aYndlSmRxaEhVTGY4WkNCcE1UY3N6YmowUnkrTkciLCJtYWMiOiJlNDIxNjhkYTc1NjYxNTVkNWZhOWViZDYwMGU1ODRkNmQ2ZGU0NjgyMjU5NjIxMzQ0MjYyYzRjMmJkYTVmNjUwIn0%3D;

dev_session=eyJpdiI6IndxWXpobW9BUm1GSHNVZkorN0N0OGc9PSIsInZhbHVlIjoiSE82by9aRnBXQjFkNG5JMHFkVzUzc3kraUZOYUdIdjNlUGN6a3c2SjBSZy9TaVNxNmRsWnQzMTltMGt0MGQvWUoxQndyQXFvd2theWViNU94Z2FXaXlGTkc4ZVdERGY2KzRpUUZDZDIxNG85UFhhanRiajBCWElmcmthMWE0R3IiLCJtYWMiOiJjMDllMmRmNGJjNDRlMjM2MmZmZTViOWEwZmUzNWQ3MzNjZDI1NWQwYmU3MjE4OTZiMTRhN2U0NWNkMTcxMDAzIn0%3D',

      'upgrade-insecure-requests': '1',

      'sec-fetch-dest': 'document',

      'sec-fetch-mode': 'navigate',

      'sec-fetch-site': 'same-origin',

      'sec-fetch-user': '?1',

      'sec-gpc': '1',

},

};

response = http.post(url, payload, params);

console.log(response)

check(response, {

  list_OK: (r) => r.status === 200,

});

})

So the second request fails, something is still not working properly, so I’m working on it, maybe the method of the push request is not ok somehow (?). Do you have any idea what should I change in the second request?

Thank you for your passionate help!

0 likes
1 reply
grubthomas's avatar

Response from stackoverflow:

"In this case, you are defining a variable in the first call to group (const token ....` and then try to use it in the second call.

This has nothing to do with CSRF or k6, but with javascript ... and arguably scoping in most other languages.

But in order for both functions to see the same variable, you will need to define it earlier - so for example next to your let response at the start of the default function.

Also, remove const from the current definition as otherwise, it won't work ;)"

Essentially the "const payload = JSON.stringify" and "const params" are not necessary for the second request. works fine without them!

Please or to participate in this conversation.