Rails CSRF 保护 + Angular.js:protect_from_forgery 让我在 POST 上注销

本文介绍了Rails CSRF 保护 + Angular.js:protect_from_forgery 让我在 POST 上注销的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

如果在 application_controller 中提到了 protect_from_forgery 选项，那么我可以登录并执行任何 GET 请求，但是在第一个 POST 请求时，Rails 会重置会话，从而将我注销.

If the protect_from_forgery option is mentioned in application_controller, then I can log in and perform any GET requests, but on very first POST request Rails resets the session, which logs me out.

我暂时关闭了 protect_from_forgery 选项，但想在 Angular.js 中使用它.有没有办法做到这一点?

I turned the protect_from_forgery option off temporarily, but would like to use it with Angular.js. Is there some way to do that?

推荐答案

我认为从 DOM 读取 CSRF-value 不是一个好的解决方案，它只是一种解决方法.

I think reading CSRF-value from DOM is not a good solution, it's just a workaround.

这里是angularJS官网的文档形式http://docs.angularjs.org/api/ng.$http :

Here is a document form angularJS official website http://docs.angularjs.org/api/ng.$http :

由于只有在您的域上运行的 JavaScript 才能读取 cookie，因此您的服务器可以确信 XHR 来自在您的域上运行的 JavaScript.

要利用这一点(CSRF 保护)，您的服务器需要在 JavaScript 可读会话中设置令牌第一个 HTTP GET 请求中名为 XSRF-TOKEN 的 cookie.在随后的非 GET 请求服务器可以验证 cookie 是否匹配X-XSRF-TOKEN HTTP 标头

To take advantage of this (CSRF Protection), your server needs to set a token in a JavaScript readable sessioncookie called XSRF-TOKEN on first HTTP GET request. On subsequentnon-GET requests the server can verify that the cookie matchesX-XSRF-TOKEN HTTP header

这是我基于这些说明的解决方案:

Here is my solution based on those instructions:

首先设置cookie:

First, set the cookie:

# app/controllers/application_controller.rb

# Turn on request forgery protection
protect_from_forgery

after_action :set_csrf_cookie

def set_csrf_cookie
  cookies['XSRF-TOKEN'] = form_authenticity_token if protect_against_forgery?
end

然后，我们应该在每个非 GET 请求上验证令牌.
由于 Rails 已经使用类似的方法构建，我们可以简单地覆盖它以附加我们的逻辑:

Then, we should verify the token on every non-GET request.
Since Rails has already built with the similar method, we can just simply override it to append our logic:

# app/controllers/application_controller.rb

protected
  
  # In Rails 4.2 and above
  def verified_request?
    super || valid_authenticity_token?(session, request.headers['X-XSRF-TOKEN'])
  end

  # In Rails 4.1 and below
  def verified_request?
    super || form_authenticity_token == request.headers['X-XSRF-TOKEN']
  end

这篇关于Rails CSRF 保护 + Angular.js:protect_from_forgery 让我在 POST 上注销的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！