CORS AngularJS不发送的Cookie /凭证与POST或DELETE，但得到确定 [英] CORS AngularJS Not Sending Cookie/Credentials with POST or DELETE but GET OK

问题描述

我有一个防爆pressJS API服务器和防爆pressJS瓦特/本地开发运行AngularJS应用程序。

I have an ExpressJS API server and an ExpressJS w/ AngularJS app running in local dev.

该CORS GET请求做工精细，但POST和DELETE不发送任何cookie（凭证）。

The CORS GET requests work fine but the POST and DELETE are not sending any cookies (credentials).

我已经试过各种配置选项，但从来没有应用程序发送凭据一个POST或DELETE。

I've tried all sorts of config options but never does the app send credentials for a POST or DELETE.

我希望有人熟悉这一点，可能会看到我要去哪里错了。

I hope someone is familiar with this and might see where I'm going wrong.

我已经设置了两个地域在/ etc / hosts中：

I've set up two local domains in /etc/hosts:

127.0.0.1 rsm.local
127.0.0.1 api.rsm.local

所以 HTTP：//rsm.local 发送API请求 HTTP：//api.rsm.local

AngularJS使用Restangular。

AngularJS is using Restangular.

会话存储在MongoDB中使用 .rsm.local 域所以两个服务器都可以读取cookie。

Sessions are stored in MongoDB with .rsm.local for the domain so both servers can read the cookie.

客户端应用程序和API服务器使用相同的cookie密钥和密码。

Both client app and api server use the same cookie key and secret.

app.use(express.session({
key: config.cookie_key,
secret: config.cookie_secret,
cookie: {
    domain:'.rsm.local',
    expires: config.cookie_expire
},
store: new mongoStore({
    url: config.database,
    collection: 'sessions',
    auto_reconnect: true
})
}));

这似乎做工精细会话状态是共享的两个应用程序之间确定。

This seems to work fine the session state is shared OK between the two applications.

该API服务器所用标准，我认为是正确的CORS标头：

The API server is setup with standard and what I think is correct CORS headers:

app.all('/api/*', function(req, res, next) {
res.setHeader('Access-Control-Allow-Origin', 'http://rsm.local:3000');
res.setHeader('Access-Control-Allow-Methods', 'GET,POST,PUT,DELETE,OPTIONS');
res.setHeader("Access-Control-Allow-Headers", "Accept, Cache-Control, Pragma, Origin, Authorization, Content-Type, X-Requested-With");
res.setHeader('Access-Control-Allow-Credentials', true);
next();
});

客户端应用程序AngularJS已Restanguarl配置正确发送凭据，我相信：

The client app AngularJS has Restanguarl configured to send credentials correctly I believe:

angular.module('rsm').config(function (RestangularProvider) {

RestangularProvider.setBaseUrl('http://api.rsm.local:3001/api/v1');

RestangularProvider.setDefaultHttpFields({
withCredentials: true,
useXDomain : true
});

});

所以，一切工作正常GET请求（如列出所有与列表中的一个）：

So everything works fine with GET requests (eg list all and list one):

继承人的GET请求（无pre-飞行的要求），我们可以看到饼干样本被送到交叉域和响应工作作为CORS都排队正确的：

Heres a sample of a GET request (no pre-flight request), we can see the cookie is sent cross domain and the response works as the CORS all line up correct:

Request URL:http://api.rsm.local:3001/api/v1/articles
Request Method:GET
Status Code:200 OK

Request Headers
GET /api/v1/articles HTTP/1.1
Host: api.rsm.local:3001
Connection: keep-alive
Accept: application/json, text/plain, */*
Origin: http://rsm.local:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.63 Safari/537.36
Referer: http://rsm.local:3000/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie: rsm.sid=s%3A84buSYdgwFPljnBdSdXZhGpe.z86NeNf%2F%2FT9Rn2t9MAaf3%2B4YAnXGsvSbb3nAh0spqZw; XSRF-TOKEN=JtmKfwWOhxxHxtyYR%2B2HdPSfW8e8T7ofUeROE%3D

Response Headers
Access-Control-Allow-Credentials:true
Access-Control-Allow-Headers:Accept, Cache-Control, Pragma, Origin, Authorization, Content-Type, X-Requested-With
Access-Control-Allow-Methods:GET,POST,PUT,DELETE,OPTIONS
Access-Control-Allow-Origin:http://rsm.local:3000
Connection:keep-alive
Content-Length:914
Content-Type:application/json; charset=utf-8
Date:Fri, 06 Dec 2013 15:04:53 GMT

但是做一个职位时，或使用相同的配置绝不是Cookie发送DELETE。

However when doing a POST or DELETE using the same configuration never is the cookie sent.

下面是一个pre-航班选择请求的例子（这是不应该发送任何凭据）

Here's an example of a pre-flight options request (which is not supposed to send any credentials)

Request URL:http://api.rsm.local:3001/api/v1/articles
Request Method:OPTIONS
Status Code:200 OK

Request Headers
Accept:*/*
Accept-Encoding:gzip,deflate,sdch
Accept-Language:en-US,en;q=0.8
Access-Control-Request-Headers:accept, content-type
Access-Control-Request-Method:POST
Connection:keep-alive
Host:api.rsm.local:3001
Origin:http://rsm.local:3000
Referer:http://rsm.local:3000/
User-Agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)    Chrome/31.0.1650.63 Safari/537.36

Response Headers
Access-Control-Allow-Credentials:true
Access-Control-Allow-Headers:Accept, Cache-Control, Pragma, Origin, Authorization, Content-Type, X-Requested-With
Access-Control-Allow-Methods:GET,POST,PUT,DELETE,OPTIONS
Access-Control-Allow-Origin:http://rsm.local:3000
Allow:GET,POST,PUT,HEAD,DELETE,TRACE,COPY,LOCK,MKCOL,MOVE,PROPFIND,PROPPATCH,UNLOCK,REPORT,MKACTIVITY,CHECKOUT,MERGE,M-SEARCH,NOTIFY,SUBSCRIBE,UNSUBSCRIBE,PATCH
Connection:keep-alive
Content-Length:154
Content-Type:text/html; charset=utf-8
Date:Fri, 06 Dec 2013 15:04:23 GMT

所以这个选项请求似乎在说是接受POST和起源网址都符合了

So this options request seems to say "Yes accept POST and the Origin URLS match up"

但subsequest POST请求缺乏的Cookie

But the subsequest POST request lacks the Cookie

Request URL:http://api.rsm.local:3001/api/v1/articles

Request Headers
POST http://api.rsm.local:3001/api/v1/articles HTTP/1.1
Accept: application/json, text/plain, */*
Referer: http://rsm.local:3000/
Origin: http://rsm.local:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)    Chrome/31.0.1650.63 Safari/537.36
Content-Type: application/json;charset=UTF-8
Request Payload
...
...
...

在这里和在网络上其他地方有很多线程都似乎使用与POST发送我的配置，但仍然没有凭据提示/ DELETE。

There are many threads here and elsewhere on the web that all seem to suggest using the configurations I have but still no credentials sent with the POST/DELETE.

我是pretty现在很多坚持，希望另一套的眼睛可以看到的东西吗？

I'm pretty much stuck now, hoping another set of eyes can see something?

为什么会得到是确定和POST不是？

Why would GET be OK and POST not?

我使用Chrome和FireFox Ubuntu的工作站上 - 无论不送凭据

I'm on a Ubuntu workstation using Chrome and FireFox - both don't send credentials.

感谢。

推荐答案

我发现我的工作确定一个解决方案。

I found a solution that works OK for me.

我用防爆pressJS CSRF（），passortjs和CORS头的组合。

I'm using a combo of ExpressJS csrf(), passortjs and CORS headers.

的CSRF（）是失败这borked一切，导致没有显示在控制台凭证头的浏览器。

The csrf() was failing which borked everything else and resulted in the browser showing headers without credentials in the console.

解决方案是在连接的设置defaultValue功能添加更多的请求类型查找。

The solution was to add one more request type lookup in connect's defaultValue function.

我创建了一个新的，使用这样的：

I've created a new one and use it like this:

function csrfValue(req) {
        return (req.body && req.body._csrf)
            || (req.query && req.query._csrf)
            || (req.headers['x-csrf-token'])
            || (req.headers['x-xsrf-token'])
            || (req.cookies['XSRF-TOKEN']);
    }

app.use(express.csrf({value: csrfValue}));

这使得一切工作正常。

我还发现，使用Restangular我能设置自定义页眉的X XSRF令牌，但只有Chrome的设置此 - 火狐不会

I also found that using Restangular I was able to set a custom header for x-xsrf-token but only Chrome would set this - FireFox would not.

所以，我看中的csrfValue（）解决方案。

So I settle on the csrfValue() solution.

干杯。

这篇关于CORS AngularJS不发送的Cookie /凭证与POST或DELETE，但得到确定的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！