烧瓶安全令牌CSRF [英] Flask-Security CSRF token
问题描述
我有一个烧瓶应用程序,作为REST API后端。我想,以实现对后端但为了做到这一点,我需要检索用户令牌令牌基础的认证。烧瓶安全文档明确指出,要检索一个需要与认证细节JSON数据来验证端点上执行一个HTTP POST令牌。不幸的是,我不知道如何检索执行这样的请求所需的CSRF令牌。
I have a flask app that serves as REST API backend. I would like to implement token based authentication for the backend but in order to do that I need to retrieve the user token. Flask-Security documentation clearly says that to retrieve the token one needs to perform an HTTP POST with the authentication details as JSON data to the authentication endpoint. Unfortunately I don't understand how to retrieve the CSRF token needed to perform such request.
如果我使用提供了扩展CSRF令牌传递到客户端的隐藏字段的形式登录页/模板。现在的问题是:
If I use the login page/template provided with the extension the CSRF token is passed to the client in the hidden field in the form. The question is:
如何检索CSRF令牌无需访问和使用$ HTTP方法或移动应用从angularJS应用解析登录页面,例如像?
how do I retrieve the CSRF token without accessing and parsing the login page, like for example from an angularJS app using $http methods or a mobile app?
很显然,我会尽量避免使用瓶-Security和实施自己的作品,但我与web应用相对缺乏经验,我觉得我可能会接近这个错误的方式。
Obviously I could avoid using Flask-Security and implement the pieces myself but I'm relatively inexperienced with webapps and I feel I might be approaching this the wrong way.
推荐答案
我也有类似的用例,最终按照从烧瓶WTF文件这个例子解决它:的 https://flask-wtf.readthedocs.org/en/latest/csrf.html#ajax
I had a similar use case and ended solving it by following this example from the Flask-WTF docs: https://flask-wtf.readthedocs.org/en/latest/csrf.html#ajax
因此,通过CSRF通过保护应用CsrfProtect(APP)中,csrf_token()成为所有模板可用。然后你就可以轻松地使其可以通过脚本标记:
So by CSRF Protecting the app via CsrfProtect(app), the csrf_token() becomes available in all templates. Then you can easily make it available via a script tag:
<script type="text/javascript">
var csrftoken = "{{ csrf_token() }}"
</script>
现在令牌添加到您的文章数据的烧瓶安全/登录端点。
Now add the token to your post data for the Flask-Security /login endpoint.
这篇关于烧瓶安全令牌CSRF的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
