用于api的django csrf适用于ios应用程序 [英] django csrf for api that works with ios apps

问题描述

我正在构建一个与服务器通信以获取数据的ios应用程序。

I am building an ios app that communicates with the server for getting the data.

如果它只是一个普通的应用程序，我可以通过表单发送csrf令牌（因为所有来自同一个域）。但是，对于ios应用程序，我不认为我可以设置csrf令牌。

If its just a normal app, I can send csrf token via forms (since all from same domain). But, for ios apps, I dont think I can set csrf token .

因此，当从ios应用程序向服务器发出请求时，我收到有关csrf的错误。那么，解决方案是什么？禁用此csrf功能或其他更好的方法？这是我的第一个ios应用程序，所以请告诉我一个更好的方法，所以我会遵循它。

So, when making requests from ios apps, to the server, I am getting error regarding csrf. So, whats the solution for this? Disabling this csrf feature or some other better way ? This is my first ios app, so please tell me a better way so i will follow that.

推荐答案

对于这些网址（您的iOS应用程序正在访问的API端点），您需要在相应的视图函数上指定 @csrf_exempt 以禁用csrf保护。

For those URLs ("API end points") that your iOS app is accessing, you will need to specify @csrf_exempt on the corresponding view functions to disable csrf protection.

此处有更多详情 https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#django.views.decorators.csrf.csrf_exempt

并通过其他身份验证方法保护这些URL，例如会话身份验证。

And protect those urls via other authentication methods, such as session authentication.

为了您的身份验证，您可以轻松地参考django rest framework和django tastypie做了。两者都使用SessionAuthentication类来处理身份验证并保护您的iOS应用程序可以连接的公开URL（API端点）。

For your authentication purposes, you can easily take reference to what django rest framework and django tastypie has done. Both use SessionAuthentication classes to handle authentication and protect the exposed urls (API endpoints) that your iOS app can connect to.

参考文献： -

• http：/ /django-rest-framework.org/api-guide/authentication.html


• https://django-tastypie.readthedocs.org/en/latest/authentication_authorization.html

• http://django-rest-framework.org/api-guide/authentication.html
• https://django-tastypie.readthedocs.org/en/latest/authentication_authorization.html

Django tastypie也有一个授权类，不要与身份验证混淆。它还有一个APIKey授权类，当你想要将你的django URL暴露给其他第三方开发人员时，这些开发人员可能想要构建他们自己的应用程序来与你的django URL进行通信以访问数据（想想facebook APIs） 。每个第三方开发人员实质上都可以提供一个唯一的API，因为您拥有APIKeyAuthorization类和为每个第三方应用程序提供的唯一API密钥，您可以确保只有授权的应用程序才能使用您的django URL。这就是各种大型平台如Google+或Facebook等的工作原理。

Django tastypie also has an authorization class, which is not to be confused with authentication. It also has an APIKey authorization class which becomes useful when you do want to expose your django URLs to other 3rd party developers who may want to build an app of their own to talk to your django URLs to access data (think "facebook APIs"). Each 3rd party developer can in essence be provided a unique API and because you have the APIKeyAuthorization class and a unique API Key provided to each 3rd party app, you can be sure that only "authorized" apps can consume your django URLs. This is the essence of how various big platforms like "Google+" or "Facebook" etc work.

django的csrf如何运作的详细信息

https：// docs.djangoproject.com/en/dev/ref/contrib/csrf/#how-it-works

CSRF保护基于以下内容：

The CSRF protection is based on the following things:

设置为随机值的CSRF cookie（与会话无关的
nonce，因为它被调用），其他网站无权访问。

A CSRF cookie that is set to a random value (a session independent nonce, as it is called), which other sites will not have access to.

此cookie由CsrfViewMiddleware设置。它是永久性的，
但由于无法设置永不过期的cookie，因此每次响应时都会发送
django.middleware.csrf.get_token（ ）（
内部使用的函数检索CSRF令牌）。

This cookie is set by CsrfViewMiddleware. It is meant to be permanent, but since there is no way to set a cookie that never expires, it is sent with every response that has called django.middleware.csrf.get_token() (the function used internally to retrieve the CSRF token).

所有
传出中出现名为'csrfmiddlewaretoken'的隐藏表单字段POST表格。该字段的值是CSRF
cookie的值。

A hidden form field with the name ‘csrfmiddlewaretoken’ present in all outgoing POST forms. The value of this field is the value of the CSRF cookie.

此部分由模板标记完成。

This part is done by the template tag.

对于所有未使用HTTP GET，HEAD，OPTIONS
或TRACE的传入请求，必须存在CSRF cookie，并且'csrfmiddlewaretoken'
字段必须存在且正确。如果不是，用户将收到
403错误。

For all incoming requests that are not using HTTP GET, HEAD, OPTIONS or TRACE, a CSRF cookie must be present, and the ‘csrfmiddlewaretoken’ field must be present and correct. If it isn’t, the user will get a 403 error.

此检查由CsrfViewMiddleware完成。

This check is done by CsrfViewMiddleware.

此外，对于HTTPS请求，严格的引用检查由
CsrfViewMiddleware完成。由于HTTP'Set-Cookie'标头为$ b $，因此在使用与会话无关的
nonce时，必须解决HTTPS下可能发生的中间
攻击。 b（不幸的是）客户接受了与
HTTPS下的网站交谈。 （对HTTP请求没有进行引用检查，因为在HTTP下，
存在Referer头不够可靠。）

In addition, for HTTPS requests, strict referer checking is done by CsrfViewMiddleware. This is necessary to address a Man-In-The-Middle attack that is possible under HTTPS when using a session independent nonce, due to the fact that HTTP ‘Set-Cookie’ headers are (unfortunately) accepted by clients that are talking to a site under HTTPS. (Referer checking is not done for HTTP requests because the presence of the Referer header is not reliable enough under HTTP.)

这确保了只有表单源自您的网站
可用于POST数据。

This ensures that only forms that have originated from your Web site can be used to POST data back.

这篇关于用于api的django csrf适用于ios应用程序的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！