从响应中读取授权标头 [英] Read Authorization header from response

问题描述

我正在做一个副项目，我想在其中重复使用现有的API. 该API有一个/auth端点，该端点处理POST请求，并在请求正文中包含email和password.如果email和password已验证，则服务器将返回一个响应，其中包含Authorization标头，其中包含应在所有后续请求中发送的令牌的值.

I am working on a side project in which I want to reuse an existing API. The API has an /auth endpoint which handles POST requests and expects the email and password in the request body. If the email and password are verified, then the server returns a response which contains an Authorization header which holds the value for the token which should be sent in all the subsequent requests.

我在从响应中检索此标头时遇到问题.在Postman和Chrome开发工具(网络部分)中都可以看到它. Chrome开发工具: console.log的响应头

I have a problem retrieving this header from the response. It is visible in both Postman and Chrome Dev Tools (Network section). Chrome Dev tools: console.log of the response headers

我尝试了多个库/实现来发送请求(superagent，request，fetch实现，甚至是XMLHttpRequest)，但是，我得到的所有响应在响应中都具有Authorization标头当我在Chrome开发工具中查看标头时，但是当我尝试从javascript访问标头时，总是总是只能得到Content-Type标头.

I have tried multiple libraries/implementations for sending requests (superagent, request, fetch implementation and even XMLHttpRequest), however, all of the responses I get have the Authorization header in the response headers when I look at them in the Chrome Dev Tools, but when I try to access the headers from javascript, I always end up getting the Content-Type header only.

我读了几个其他答案，表明服务器必须在标头中使用Authorization值指定Access-Control-Expose-Headers或Access-Control-Allow-Headers，但是，我无权访问服务器，并且也没有问题该API与该问题有关，所以我猜测是在发送请求时缺少某些内容.

I read in a couple of other answers that the server must specify the Access-Control-Expose-Headers or Access-Control-Allow-Headers with the Authorization value in the headers, however, I do not have access to the server and there are no issues on the API related to this problem, so my guess is that I am missing something when sending the request.

有什么想法吗?

这是使用fetch

return fetch(endpoint, {
    method: 'post',
    body: data,
    headers: {
      [API_KEY_HEADER]: apiKey
    }
  }).then(r => {
    console.log(r);
    console.log(r.headers)
  });

这是使用request

r({
    url: endpoint,
    method: 'post',
    headers: {
      [API_KEY_HEADER]: apiKey
    }
  }).then(r => {
    console.log(r);
    console.log(r.headers);
  })

这是普通的XMLHttpRequest

  const request = new XMLHttpRequest();

  request.open('POST', endpoint);

  request.setRequestHeader('Content-Type', 'application/json');
  request.setRequestHeader(API_KEY_HEADER, apiKey);

  request.onreadystatechange = function () {
    if (this.readyState === 4) {
      console.log('Status:', this.status);
      console.log('Headers:', this.getAllResponseHeaders());
      console.log('Body:', this.responseText);
    }
  };

  const body = {
    'email': 'dummy@test.com',
    'password': 'secret!'
  };

  request.send(JSON.stringify(body));

推荐答案

2年为时已晚，但希望这对遇到相同问题的人有所帮助:

2 years too late but hope this helps someone with the same problem:

正如@shaochuancs所说，Authorization标头在响应中不是标准的，因此服务器必须显式通知以公开它.为此，服务器必须添加以下标头:

As @shaochuancs said, the Authorization header is not standard in the response, so the server has to explicitly inform to expose it. To do that the server must add the following header:

访问控制公开标题:授权

来源: 查看全文