Rails:如何在Rails API模式下实现protect_from_forgery [英] Rails: How to implement protect_from_forgery in Rails API mode
问题描述
我有一个Rails 5 API应用程序( ApplicationController< ActionController :: API
).需要为此API的一个端点添加一个简单的GUI表单.
I have a Rails 5 API app (ApplicationController < ActionController::API
). The need came up to add a simple GUI form for one endpoint of this API.
最初,当我尝试呈现表单时,我得到的是 ActionView :: Template :: Error未定义的方法protect_against_forgery?
.我向该端点添加了 include ActionController :: RequestForgeryProtection
和 protect_from_forgery with:exception
.哪个按预期解决了这个问题.
Initially, I was getting ActionView::Template::Error undefined method protect_against_forgery?
when I tried to render the form. I added include ActionController::RequestForgeryProtection
and protect_from_forgery with:exception
to that endpoint. Which solved that issue as expected.
但是,当我尝试提交此表单时,我得到: 422
不可处理的实体
ActionController :: InvalidAuthenticityToken
.我添加了<%= csrf_meta_tags%>
,并验证了其中存在 meta:csrf-param
和 meta:csrf-token
我的标题,而 authenticity_token
出现在我的表单中.(令牌本身互不相同.)
However, when I try to submit this form I get: 422
Unprocessable Entity
ActionController::InvalidAuthenticityToken
. I've added <%= csrf_meta_tags %>
and verified that meta: csrf-param
and meta: csrf-token
are present in my headers, and that authenticity_token
is present in my form. (The tokens themselves are different from each other.)
我已经尝试过, protect_from_forgery前置:true,with:exception
,没有效果.我可以修复"通过注释掉此问题: protect_from_forgery with:exception
.但是我的理解是,这将关闭我表格上的CSRF保护.(我想要CSRF保护.)
I've tried, protect_from_forgery prepend: true, with:exception
, no effect. I can "fix" this issue by commenting out: protect_from_forgery with:exception
. But my understanding is that that is turning off CSRF protection on my form. (I want CSRF protection.)
我想念什么?
更新:
为清楚起见,此应用程序的99%是纯JSON RESTful API.需要向此应用程序添加一个HTML视图和表单.因此,对于一个控制器,我想启用完整的CSRF保护.该应用程序的其余部分不需要CSRF,并且可以保持不变.
To try to make this clear, 99% of this app is a pure JSON RESTful API. The need came up to add one HTML view and form to this app. So for one Controller I want to enable full CSRF protection. The rest of the app doesn't need CSRF and can remain unchanged.
更新2:
我只是将该应用程序的HTML表单和Header的页面源与我编写的另一个常规的Rails 5应用程序进行了比较.标头中的 authenticity_token
和表单中的 authenticity_token
相同.在我遇到问题的API应用中,它们不同.也许那是什么?
I just compared the page source of this app's HTML form and Header with another conventional Rails 5 app I wrote. The authenticity_token
in the Header and the authenticity_token
in the form are the same. In the API app I'm having the problem with, they're different. Maybe that's something?
更新3:
好吧,我不认为不匹配是问题所在.但是,在正常工作和不正常工作的应用程序之间的进一步比较中,我注意到Network>中没有任何内容.饼干.我在正常运行的应用程序的Cookie中看到很多类似 _my_app-session
的东西.
Ok, I don't the the mismatch is the issue. However, in further comparisons between the working and non-working apps I noticed that there's nothing in Network > Cookies. I see a bunch of things like _my_app-session
in the cookies of the working app.
推荐答案
问题出在这里:Rails 5,在API模式下,逻辑上不包括Cookie中间件.没有它,Cookie中没有存储会话 key
,当我验证通过表单传递的令牌时将不使用该会话.
Here's what the issue was: Rails 5, when in API mode, logically doesn't include the Cookie middleware. Without it, there's no Session key
stored in a Cookie to be used when validating the token I passed with my form.
有些令人困惑的是,更改 config/initializers/session_store.rb
中的内容无效.
Somewhat confusingly, changing things in config/initializers/session_store.rb
had no effect.
我最终在这里找到了解决该问题的方法:添加cookie会话存储返回到Rails API应用,这使我在这里: https://github.com/rails/rails/pull/28009/files 确切地提到了我需要添加到application.rb以恢复工作的Cookie的行:
I eventually found the answer to that problem here: Adding cookie session store back to Rails API app, which led me here: https://github.com/rails/rails/pull/28009/files which mentioned exactly the lines I needed to add to application.rb to get working Cookies back:
config.session_store :cookie_store, key: "_YOUR_APP_session_#{Rails.env}"
config.middleware.use ActionDispatch::Cookies # Required for all session management
config.middleware.use ActionDispatch::Session::CookieStore, config.session_options
这三行加上:
class FooController < ApplicationController
include ActionController::RequestForgeryProtection
protect_from_forgery with: :exception, unless: -> { request.format.json? }
...
当然还有通过适当的助手生成的表格:
And of course a form generated through the proper helpers:
form_tag(FOO_CREATE_path, method: :post)
...
在我的Rails API应用中间找到一个受CSRF保护的表单.
Got me a CSRF protected form in the middle of my Rails API app.
这篇关于Rails:如何在Rails API模式下实现protect_from_forgery的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!