缺少Cookie时.NET Core返回500而不是401 [英] .NET core returning 500 instead of 401 when missing cookie
问题描述
我有一个使用Cookie身份验证的.NET核心API.具有自己的登录路线的PWA/SPA可以访问它.
I have a .NET core API that uses cookie authentication. It is accessed by a PWA/SPA that has its own login route.
在Startup.cs
中:
public void ConfigureServices(IServiceCollection services)
{
...
services.AddIdentity<MyUser, MyRole>(options =>
{
...
// Use cookie authentication
var expiresIn = new TimeSpan(1, 0, 0); // 1 hour timeout
var c = options.Cookies.ApplicationCookie;
c.AuthenticationScheme = "appSchemeName";
c.CookieName = "appCookieName";
c.AutomaticAuthenticate = true;
// If this is true auth failures become redirects
c.AutomaticChallenge = false;
c.SlidingExpiration = true;
c.ExpireTimeSpan = expiresIn;
// Store sessions in the cache with the same TTL as the cookie
c.SessionStore = new MyRedisSessionStore(expiresIn);
});
...
}
public void Configure(...)
{
...
app.UseIdentity();
...
app.UseMvc();
}
在我的客户端JS中,当身份验证cookie无效或丢失时,我希望输入401,并在这种情况下显示登录表单.
In my client side JS I expect a 401 when the authentication cookie is invalid or missing, and display a login form when this is the case.
但是,当没有有效cookie的用户访问标有[Authorize]
的控制器时,他们将收到500状态错误:
However, when a user without a valid cookie visits a controller flagged with [Authorize]
they get a 500 status error:
InvalidOperationException:未配置身份验证处理程序来处理方案:自动
InvalidOperationException: No authentication handler is configured to handle the scheme: Automatic
如果我更改c.AutomaticChallenge = true;
,则将收到302重定向到{site}/Account/Login?ReturnUrl={api resource it was trying to load}
.这很奇怪,因为这不是有效的路线,而且我没有设置它.
If I change c.AutomaticChallenge = true;
then I get a 302 redirecting to {site}/Account/Login?ReturnUrl={api resource it was trying to load}
. That's weird because that's not a valid route and I didn't set it.
如何解决此问题,以便未经身份验证的用户在服务器上收到401而不是500的异常.
How do I fix this so that unauthenticated users get a 401 instead of a 500 exception on the server.
我意识到我可以重写它并使用自定义响应编写我自己的身份验证,但是必须有一种方法使内置的[Authorize]
返回正确的HTTP状态代码.
I realise that I can override this and write my own authentication with custom responses, but there must be a way to make the built-in [Authorize]
return the correct HTTP status code.
推荐答案
当我使用Postman测试端点时遇到了这个确切的问题.
I ran into this exact issue when I was using Postman to test my endpoints.
如果您查看OnRedirectToLogin事件的nofollow noreferrer>源代码,您可以看到它正在检查该请求是否为AJAX请求.为了使IsAjaxRequest
返回true
,X-Requested-With
标头必须具有XMLHttpRequest
作为其值.
If you look at the source code for the OnRedirectToLogin
event, you can see that it is checking if the request is an AJAX request. For IsAjaxRequest
to return true
, the X-Requested-With
header needs to have XMLHttpRequest
as it's value.
如果您恰好要用Postman进行测试,则必须手动将X-Requested-With和正确的值一起应用:
If you happen to be testing this out with Postman, you'll have to manually apply the X-Requested-With along with the correct value:
最后,如果没有其他需要设置的特殊配置,这就是CookieAuthenticationOptions
的外观:
Finally, this is what your CookieAuthenticationOptions
should look like if you have no other special configurations that need to be set:
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AutomaticAuthenticate = true,
AutomaticChallenge = true
});
这篇关于缺少Cookie时.NET Core返回500而不是401的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!