Rails的CSRF保护+ Angular.js：protect_from_forgery让我退出的POST [英] Rails CSRF Protection + Angular.js: protect_from_forgery makes me to log out on POST

问题描述

如果在 protect_from_forgery 选项在application_controller提到的，然后我就可以登录并执行任何GET请求，但在第一个POST请求的Rails复位会话，它记录了我出去。

If the protect_from_forgery option is mentioned in application_controller, then I can log in and perform any GET requests, but on very first POST request Rails resets the session, which logs me out.

我把 protect_from_forgery 选项暂时关闭，但想用Angular.js使用它。是否有某种方式来做到这一点？

I turned the protect_from_forgery option off temporarily, but would like to use it with Angular.js. Is there some way to do that?

推荐答案

我觉得从DOM读取CSRF值不是一个很好的解决方案，它只是一个解决方法。

I think reading CSRF-value from DOM is not a good solution, it's just a workaround.

下面是一个文档形式angularJS官方网站http://docs.angularjs.org/api/ng.$http

Here is a document form angularJS official website http://docs.angularjs.org/api/ng.$http :

由于只在您的域中运行的JavaScript可以读取cookie，您的服务器可以放心，XHR从JavaScript来在域上运行。

Since only JavaScript that runs on your domain could read the cookie, your server can be assured that the XHR came from JavaScript running on your domain.

要充分利用这个（CSRF保护），你的服务器需要设置令牌在JavaScript可读会议
  饼干叫XSRF-TOKEN第一次HTTP GET请求。在随后的
  非GET请求服务器可以验证cookie的比赛
  的X XSRF-TOKEN HTTP头

To take advantage of this (CSRF Protection), your server needs to set a token in a JavaScript readable session cookie called XSRF-TOKEN on first HTTP GET request. On subsequent non-GET requests the server can verify that the cookie matches X-XSRF-TOKEN HTTP header

下面是我的解决方案，根据这些指示：

Here is my solution based on those instructions:

首先，设置Cookie：

First, set the cookie:

# app/controllers/application_controller.rb

# Turn on request forgery protection
protect_from_forgery

after_filter :set_csrf_cookie_for_ng

def set_csrf_cookie_for_ng
  cookies['XSRF-TOKEN'] = form_authenticity_token if protect_against_forgery?
end

那么，我们应验证令牌上的每个非GET请求。结果
由于Rails的已用类似的方法建立，我们可以只是简单地覆盖它来追加我们的逻辑：

Then, we should verify the token on every non-GET request.
Since Rails has already built with the similar method, we can just simply override it to append our logic:

# app/controllers/application_controller.rb

protected

  # In Rails 4.2 and above
  def verified_request?
    super || valid_authenticity_token?(session, request.headers['X-XSRF-TOKEN'])
  end

  # In Rails 4.1 and below
  def verified_request?
    super || form_authenticity_token == request.headers['X-XSRF-TOKEN']
  end

这篇关于Rails的CSRF保护+ Angular.js：protect_from_forgery让我退出的POST的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！