►
Description
On today's stream we took a look through some community messages on the Insomnia Community Slack. Primarily, we looked at https://insomnia.rest/plugins/insomnia-plugin-save-variables and found a way to simulate CSRF token refreshing in such a way that regular request chaining doesn't allow. Cool stuff!
A weekly stream focused on Insomnia's open source community.
Join us on the #stream channel over on the Insomnia community slack: https://chat.insomnia.rest
A
B
B
B
C
B
C
The
first
thing
that
comes
to
my
mind
is
something
I
remember
seeing
like
on
on
a
presentation
a
few
years
ago,
and
I
think
it
was
about
you
know
using
some
sort
of
library
to
generate
frequencies
and
whatnot
and
play
sounds.
I
don't
know
I
think,
or
or
we
could
take,
but
like
the
the
far
route
and
connect
to
some
midi
thingy
over
over
the
api.
Like
I
think
I
have
this.
B
Raspberry
pi,
I
think
you
have
a
genuine
question
now
that
that's
come
from
this.
So
let
me
let's
share
my
screen
here
so
like
here,
so
I
am
on
the
beta.
Aren't
I
I'm
on
the
latest
beta
yeah,
okay.
So
the
question
is,
if
I
play
with
what
would
be
something
that
I
can
go
to
like
youtube,
we
have
stalin
here:
hey
stalin,
how's
it
going.
B
C
B
B
B
There's
gotta
be
some
html5
magic,
whoa,
okay,
we're
in
full
on
streamer
mode,
I'm
just
curious
if
we
could
what
would
be
like
a
like
a
oh
man.
I've
seen
these
before
like
css
piano
somebody
here
is
this
a
thing,
but
it
doesn't
make
sound.
Oh,
let's
try
one
more
okay,
we're
going
to
give
up
on
this
very
soon.
If
anybody,
okay,
let's,
let's
try
last
try.
B
I
just
typed
css
piano,
because
I
know
people
like
do
that
kind
of
thing
they
make
like
a
little
synthesizer,
but
anyone
anyway,
hey
everybody.
Welcome
to
the
insomnia
street,
we're
gonna,
we're
gonna,
make
it
work.
Okay,
we're
gonna!
There
are
people
watching
like
stop.
Trying
to
make
the
sound
board
happen.
The
you
can
see
on
your
screen,
chat.insomnia.rest
you!
You
could
go
to
this
document.
If
you
go
to
our
community
slack
you'll
find
your
way
to
this
document.
B
It's
pinned
to
the
stream
channel
on
the
community
slack
and
on
this
we
talk
about
what
the
priorities
are
for
the
stream
like
what
the
stream
is
for
so
generally
for
live
requests.
That's
always
the!
Even.
If
you
come
in
in
the
middle
of
us
working
on
something
that's
a
high
priority,
then
we
have
things
on
the
github
for
insomnia
that
have
a
stream
label.
So
we'll
look
for
those
items.
We
have
a
community
slack
and
we
have
just
regular
github
issue
triage,
which
we've
done
before
it
was
kind
of
fun.
B
B
B
B
B
D
A
B
A
C
B
B
C
B
C
B
B
C
I
don't
know
how
to
answer
that.
The
the
thing
is,
I'm
part
of
the
generation
that
learned
a
lot
of
english
from
cartoons,
video
games
and
all
that
sort
of
crap.
It
was
only
after.
It
was
only
recently
that
kids
need
to
learn
english
from
the
very
like
first
grade,
or
something
like
that,
because
officially
I
only
started
learning
english
like
from
the
fifth
grade
onwards,
something
like
that.
C
B
B
B
B
B
Please
let
us
know
okey-dokey
one
down
and
I'm
assuming
yeah.
I
think
will's
triaged,
that
one,
so
that's
good.
Okay,
hi
boiling
soup
pie
boiling
soup.
We
can
take
the
chat
thing
off
the
screen
here.
I
guess
so.
They
say
my
server
returns,
a
new
csrf
token,
with
every
request,
and
I
need
to
update
the
request
header
to
always
use
the
latest
token.
Is
there
a
way
to
script
this,
so
it
updates
automatically?
B
C
B
B
B
Well,
but
that's
the
thing
is:
is
that
that's
not
what's
happening,
it's
a
new
token
for
every
individual
request.
Oh
yeah,
so
maybe
request
chaining
actually
won't
work
here,
because
request
chaining
is
all
about
one
request,
feeding
information
into
another
request,
but
this
would
not
work
for
this
use
case,
because
each
request
requires
its
own
new
token.
C
B
A
C
A
B
B
A
C
B
B
B
C
B
Okay,
let's
see
what
these
say:
okay,
so
there's
a
there's,
a
thing
called
a.
I
can
explain
it
a
little
bit.
There's
a
thing
called
a
cross
site
request,
forgery
attack
and
what
that
means.
Is
you
make
a
request
to
a
server
pretending
to
be
someone
that
you're?
Not
I
can
do
my
favorite
thing
to
do
with
insomnia
is
actually
demonstrate.
Cross-Site,
request
forgery,
so
so
here
I'll
do
it
right
now.
So
there's
a
I
don't
know
this
thing
tokens!
B
Okay,
I
don't
know
what
this
is.
It
doesn't
really
matter,
it's
a
request
that
was
made
because
I'm
on
this
webpage,
port
port,
swig
swigger-
I
don't
know
ports,
I
don't
know
so.
Portswigger.Com
makes
a
request
with
my
web
browser.
I
can
copy
as
curl,
for
example,
on
this
request,
which
has
all
these
headers.
So
I
want
to
show
you
before
we
paste
it
into
insomnia.
I
want
to
show
you
what
we're
going
to
paste
we're
going
to
paste
a
thing
that
looks
like
this
okay.
B
This
is
a
this
is
a
curl
request
and
we
could
make
this
curl
request.
I
think.
Well,
ideally,
this
is
from
you
know,
google.
I
could
make
this
chrome
request
here
and
it's
going
to
return
me
some
data,
so
that's
technically
I
mean
you
would
need
to
have
a
server.
That's
sending
this.
I
guess
some
people
would
argue.
This
is
not
cross-site
request.
Forgery!
Yeah
technically,
but
you
know
I'm
a
client,
but
it
doesn't
doesn't
really
make
a
big
difference
in
that
respect.
B
B
Oh,
like
I
don't
want
to
do,
I
want
to
use
all
the
same
information,
but
I
want
to
use
like
csrf
tokens
like
get
token
or
something
like
you
know.
I
don't
know
it's
not
going
to
say
that
client
id
you
know
or
something
you
want
to.
You
want
to
do
something
else.
That's
slightly
different
from
what
the
website
actually
does.
This
is
effectively
you
know
hacking
right.
B
B
B
Since
the
attacker
cannot
determine
or
predict
the
value
of
the
user
csrf
token,
they
cannot
construct
a
request
with
all
the
parameters
that
are
necessary
for
the
application
to
honor
the
request.
So
imagine
that
I'm
doing
this
thing
that
I
was
explaining
before
what
you
would
effectively
want
to
do.
If
you
were
trying
to
attack
someone
is
you
would
send
them
a
request
like
to
their
bank
or
something
that
would
be
the
api
recall
that
is
necessary
for
the
bank
to
like
transfer
money.
Let's
just
say,
like
a
really
easy.
B
B
B
Therefore
it's
possible,
but
it
makes
it
way
harder
like
way
way
way
harder
to
make
a
script
that
you
can
just
inject
on
a
page
to
attack
someone,
because,
ultimately
you
don't
have
the
token
that's
required
and
like
we
just
read,
the
server
will
reject
any
request.
That
is
either
missing
the
token
or
has
an
invalid
token.
B
B
C
B
B
B
B
C
A
B
B
B
B
B
B
C
B
B
D
A
B
B
B
A
B
B
B
B
B
C
B
A
C
B
B
A
A
B
D
B
D
A
D
C
B
B
A
A
C
C
C
B
B
D
B
D
A
D
Function
called
variable
to
read
the
variable
variable.
Okay,
and
here
you
will
have
to
give
that
name.
So
it's
it's
an
object
so
because
we
are
putting
everything,
it's
full
object.
It's
not
json-based!
It's
an
object
right!
So
that's
why
now,
if
we
pass
yeah,
if
you
put
in
that,
okay
done,
send
it
once
more.
B
B
B
D
D
B
A
D
C
A
B
B
I
don't
can
we
say
csrf
token.
Is
that
a
okay?
What
is
the
value
of
that
csrf
token?
Header?
Xcsrf
token?
Oh,
that's
also
laravel,
but
I
don't
care
about
laravel.
Okay,
it
looks
like
xcsrf
token
is,
is
something
that
somebody
uses.
So
let's
just
go
with
it.
So
then
we
want
to
do
here
we'll
do
like
uuid
v4
okay,
so
we
have
a
uuid
being
generated
every
time,
then
we're
going
to
come
come
in
here.
B
B
That's
pretty
cool
someone
clipped
this
video
yeah.
That
makes
sense.
Why
that's
happening!
So
that's
how
you
can
update
a
csf
csrf
token.
So
in
the
real
world
use
case
this,
this
would
not
be
present
because
it
would
be
sent
by
the
server,
and
you
would
actually
use
this
header
thing
here,
because
you're
grabbing
a
raw
value
of
a
header
value
of
a
response
header
we
just
happen
to
be
working
with
mockbin
and
it
doesn't
have-
doesn't
seem
to
have
a
way
to
spit
back
response
headers
to
echo
back
response.
B
B
What
does
that
stop?
Okay,
so
we
would
do
it
like
that
and
then
yeah
we
would
get.
We
would
get
the
value
out.
So
we
see
here
that
we
sent
my
thing
and
it
has
the
previous
value
so
one
last
time
it
starts
with
nine
f9.
The
previous
token
starts
with
knight
f9.
Here
we
go
the
new
one
that
we
sent
starts
with
nine
f9,
so
pretty
cool
and
it's
valid
json
okey,
dokey,
wow
computers,
work.
C
We
can
take
a
short
detour
here
and
I
can
try
to
spread
the
gospel
of
being
able
to
programmatically
set
environment
variables
and
how
that
is
a
killer
feature,
because
here
here's
the
thing.
Let
me
share
my
I
think
I
have
I
I
don't
wanna,
I'm
remembering
joe
in
the
last
stream
saying
I'm
not
sure
if
I'm
authorized,
because
I'm
gonna
be
using
the
competition,
but
here's
the
thing
that
I
like
about
how
they
have
this
setup.
Give
me
just
a
second,
because
I
have
a
ton
of
windows
open.
D
B
B
D
A
B
A
B
Yeah
the
I
visited
some
friends
in
los
angeles
two
years
ago,
and
I
said
wow
that
was
so
nice
today
and
they're
like
it's
exactly
like
this.
Every
single
day,
every
day
of
the
year,
yeah
every
day
is
a
perfect
day.
I
guess
that
would
get
tiring
after
a
while
speaking
of
getting
firing
felipe.
What's
going
on,
you
gotta,
you
got
your
demo
going
or
what.
B
B
B
B
B
Yeah,
let's,
let's,
let's
just
leave
it
at
that
at
least
we
at
least
we
got
through
a
couple
and
we
learned
some
cool
stuff
and
that
example,
I
think,
is
pretty
valuable
that
we
showed
with
how
you
can
use
a
request
to
save
values
on
subsequent
requests
without
request
chaining
using
the
save
variable
plugin,
it's
pretty
neat
stuff,
and
there
you
go.
We
hear
you
hello,.
C
I
I
think
it
can
be
quick.
I
think
I
can.
I
can
show
what
I
want
to
the
idea
that
I
want
to
pass
that
I
think
it's
an
improvement
that
we
could
try
and
add
to
to
insomnia.
Hopefully
you
can
still
hear
me.
Let
me
know
yep,
okay,
here's
the
thing,
though,
all
that
dancing
around
that
we
were
doing
in
the
plug-in.
Can.
C
B
B
C
Holy
crap
anyway,
it's
been
a
while,
but
here's
the
thing
that
I
like
okay,
so
all
that
dancing
around
that
we
were
doing
in
theory
in
postman.
It
would
take
a
lot
very
little
step.
So,
for
instance,
you
could
in
and
like
they
have
this
concept
that
they
have
pre-requests
and
tests
and
whatnot
so
code
that
you
can
run
before
you
run
a
request
and
code
that
you
can
run
after
you
run
a
request
and
whatnot
you
don't
even
have
to
add.
You
know
tests
in
here
per
se,
but
here's
the
thing
here
programmatically.
B
C
You
can
you
can
you
can
also
do
that.
So,
for
instance,
that
that
would
mean
that
here
I
I
can
have
some
some
sort
of
logic
that
either
fetch
the
the
environment
variable
or
I,
in
this
case
I'm
setting
like
a
random
uid
and
whatnot.
But
that's
that's
the
thing
where
I
think
we
can,
where
I
think
we
can
improve,
because
they
don't
force
you
to
install,
even
though
you
know
the
their
ui.
As
of
now,
it's
even
more
cumbersome.
It
was
really
hard
for
me
to
find
out
things.
C
This
is
the
part
where
I'm
I'm
on
post,
but
but
but
you
know
notice
that
that
difference,
because
just
the
fact
that
you
can,
you
know
attach
to
the
logic
of
your
request.
You
can
start
thinking
about
there's
things
that
I
want
to
do
with
this
request.
Before
the
request
happens
and
also
after
request
happens,
it
gives
you
like
a
whole
set
of
new
things
that
you
can
do
which
in
insomnia,
in
this
case,
we
had
to
use
the
plugin
too.
So.
C
C
We,
we
set
the
function
somewhere
as
text,
we
converted
javascript
to
text
and
we
saved
it
an
environment,
valuable
variable,
and
then
we
evaled
that
environment
variable
on
the
pre-request
in
order
to
have
x
or
on
the
test
in
order
to
have
access
to
that
function,
because
that's
also
one
thing
that
postman
does
really
bad
and
in
some
it
does
have
does
also
really
bad.
That
is
they
don't
allow
you,
as
a
user,
you
know
to
define
your
own
functions.
B
B
It's
not
our
it's,
not
our
culture,
and
you
know
we
just
want
to
make
great
products
and
if
other
people
make
great
products
too,
that's
pretty
good
news,
because
then
it
means
that
we
can
all
kind
of
learn
from
each
other
and
move
faster,
we're
a
completely
open
source
project.
We
have
nothing
to
hide
and,
as
you
see
here
on
the
stream
we're
doing
these
things
in
the
open,
so
you
know
we
try
to
try
to
try
to
live
that
way
in
the
ways
that
we
make
our
products.
B
B
You
don't
see
us
on
stream
next
week.
You'll
know
why?
Okay,
just
joking!
Well,
thanks
for
coming
everyone,
it's
been
nice
to
hang
out
and
stalin
thanks
for
helping.
How
do
can
you
tell
me
your
name,
because
I
just
realized
I've
been
saying:
there's
like
a
bee,
that
I've
been
inserting
into
your
name,
yeah.