CSRF验证在django/backbone.js中失败 [英] CSRF verification failing in django/backbone.js

问题描述

我正在尝试从轻量级django重新创建一个小项目- https://github .com/lightweightdjango/examples/tree/chapter-5

I'm trying to recreate a small project from lightweight django - https://github.com/lightweightdjango/examples/tree/chapter-5

尝试使用超级用户帐户登录时出现CSRF错误.下面是我的models.js

I'm getting a CSRF error when trying to login with the superuser account. Below is my models.js

(function ($, Backbone, _, app) {

    // CSRF helper functions taken directly from Django docs
    function csrfSafeMethod(method) {
        // these HTTP methods do not require CSRF protection
        return (/^(GET|HEAD|OPTIONS|TRACE)$/i.test(method));
    }

    function getCookie(name) {
        var cookieValue = null;
        if (document.cookie && document.cookie != '') {
            var cookies = document.cookie.split(';');
            for (var i = 0; i < cookies.length; i++) {
                var cookie = $.trim(cookies[i]);
                // Does this cookie string begin with the name we want?
                if (cookie.substring(0, name.length + 1) == (name + '=')) {
                    cookieValue = decodeURIComponent(
                    cookie.substring(name.length + 1));
                    break;
                }
            }
        }
        return cookieValue;
    }

    // Setup jQuery ajax calls to handle CSRF
    $.ajaxPrefilter(function (settings, originalOptions, xhr) {
        var csrftoken;
        if (!csrfSafeMethod(settings.type) && !this.crossDomain) {
            // Send the token to same-origin, relative URLs only.
            // Send the token only if the method warrants CSRF protection
            // Using the CSRFToken value acquired earlier
            csrftoken = getCookie('csrftoken');
            xhr.setRequestHeader('X-CSRFToken', csrftoken);
        }
    });

我尝试将整个项目克隆到我的本地文件夹中.我仍然收到CSRF错误.

I tried cloning the entire project to my localfolder. I'm still getting the CSRF error.

Django仅提供项目的API-模板等由Backbone.js处理

Django merely provides the API for the project - templating etc is handled by Backbone.js

请让我知道是否需要发布更多代码.

Please let me know if i need to post more code.

我的登录模板(如果有帮助)

my login template if it's of any help

  var LoginView = FormView.extend({
        id: 'login',
        templateName: '#login-template',
        submit: function (event) {
            var data = {};
            FormView.prototype.submit.apply(this, arguments);
            data = this.serializeForm(this.form);
            $.post(app.apiLogin, data)
                .done($.proxy(this.loginSuccess, this))
                .fail($.proxy(this.failure, this));
        },
        loginSuccess: function (data) {
            app.session.save(data.token);
            this.done();
        }
    });

推荐答案

我遇到了完全相同的问题.然后按照该书第111页的建议:

I had exactly the same issue. Then as suggested in page 111 of the book:

这假定项目正在使用默认的cookie名称csrftoken.如果需要，可以通过 app.js 解析的配置来配置此令牌.

This assumes that the project is using the default cookie name csrftoken. If needed, this token could be configured via the configuration parsed by app.js.

我在 index.html 的"config"部分添加了"csrftoken": "{% csrf_token %}":

I added "csrftoken": "{% csrf_token %}" to the "config" section in index.html:

...
<script src="{% static 'board/vendor/backbone.js' %}"></script>
<script id="config" type="text/json">
    {
        "models": {},
        "collections": {},
        "views": {},
        "router": null,
        "csrftoken": "{% csrf_token %}", //added this
        "apiRoot": "{% url 'api-root' %}",
        "apiLogin": "{% url 'api-token' %}"
    }
</script>
<script src="{% static 'board/js/app.js' %}"></script>
...

通过此更改，错误已修复，我能够登录.

With this change, the error was fixed and I was able to log in.

这篇关于CSRF验证在django/backbone.js中失败的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！