CakePHP 3 API 的 POST 请求不起作用 [英] POST Requests for CakePHP 3 API are not working

问题描述

我正在使用 CakePHP 3.x 文档开发 API.为了开发这个 API，我使用了他们的官方文档:https://book.cakephp.org/3.0/en/development/rest.html

I am developing an API using CakePHP 3.x documentation. To develop this API I am using their official documentation: https://book.cakephp.org/3.0/en/development/rest.html

当我尝试在 url 上使用 GET 请求访问我的 api 时 http://localhost/healthcare_portal/eapi/applicants/index.json，我得到了预期的 json 结果

When I try to access my api using GET request on url http://localhost/healthcare_portal/eapi/applicants/index.json, I get follow expected json result

{
    "applicants": [
        {
            "applicant_id": 1,
            "name": "Manender"
        },
        {
            "applicant_id": 2,
            "name": "mayank"
        }
    ]
}

但是当我在相同的 url 上使用 POST 请求访问我的 api http://localhost/healthcare_portal/eapi/applicants/index.json，我收到 CSRF 不匹配令牌错误.在这种情况下，来自 API 的响应是

But when I access my api using POST request on same url http://localhost/healthcare_portal/eapi/applicants/index.json, I get CSRF Mismatch Token Error. Response from API in this case is

{
    "message": "Missing CSRF token cookie",
    "url": "/applicants/index.json",
    "code": 403,
    "file": "/opt/lampp/htdocs/healthcare_portal/eapi/vendor/cakephp/cakephp/src/Http/Middleware/CsrfProtectionMiddleware.php",
    "line": 191
}

我尝试了其他替代方法来添加

I have tried other alternatives as adding

 $input = (array) $this->request->input('json_decode', true);

在我的控制器的操作中，但这是我在发布请求时遇到相同的错误.如果有人遇到同样的问题，请帮助我取得突破.

in my controller's action but this is I get same error on post request. If anyone faced same issue, please help me in getting a breakthrough.

推荐答案

如3.6 版本 post request 中的 CSRF 令牌不匹配，默认应用模板最近默认启用了 CSRF 保护中间件，需要 CSRF 令牌和 cookie与非GET 请求一起发送.

您的 API 很可能需要某种形式的身份验证，以防身份验证不依赖于 cookie，或 (HTTP) 基本身份验证，或浏览器/客户端将自动发送/执行 HTTP 请求的任何其他形式的身份验证，那么你不需要 CSRF 保护，因为 CSRF 是不可能的.

You API should most likely require some form of authentication, and in case that authentication does not rely on cookies, or (HTTP) Basic authentication, or any other form of authentication which browsers/clients will automatically send/perform with HTTP requests, then you don't need CSRF protection, as CSRF would not be possible.

如果您的 API 确实不需要 CSRF 保护，那么您可以禁用它，例如通过使用自定义中间件处理程序来检查请求 URL 或路由并有条件地应用 CSRF 中间件，或者通过将中间件应用于路由范围，以便您可以排除 API 范围，请参阅 Cakephp 3.5.6 禁用控制器的 CSRF 中间件.

If you really don't need CSRF protection for your API, then you can disable it, for example by using a custom middleware handler that checks the request URL or route and applies the CSRF middleware conditionally, or by applying the middleware on routing scopes, so that you can exclude your API scope, see Cakephp 3.5.6 disable CSRF Middleware for controller.

如果您的 API 使用的身份验证形式容易出现 CSRF，那么您应该想办法提供 cookie(中间件将在 GET 上自动设置 cookiecode> 请求)和 CSRF 令牌(它们在请求对象上可用，例如 $request->getParam('_csrfToken'))到您的客户端，以便他们可以将它们与请求一起发送.

If your API uses a form of authentication that is prone to CSRF, then you should figure out a way to serve the cookies (the middleware will automatically set the cookie on GET requests) and CSRF tokens (they are available on the request object like $request->getParam('_csrfToken')) to your clients, so that they can send them alongside their requests.

• Cookbook > Middleware > Cross Site Request Forgery (CSRF) Middleware
• https://security.stackexchange.com/questions/166724/should-i-use-csrf-protection-on-rest-api-endpoints

这篇关于CakePHP 3 API 的 POST 请求不起作用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！