奇怪的角度REST调用行为 [英] Strange Angular Rest call behaviour
问题描述
我使用的角度作出Atlassian的JIRA的REST API的调用。角是在离子的框架应用程序的设备上的情况下使用。
A 卷曲为
卷曲-X POST的https:// URL'-H接受:应用/ JSON,纯文本/ * / *-H授权:基本a2someStuff'-H 内容类型:应用程序/ JSON--data二进制{转型:{ID:761}}'
务,并产生所希望的结果。
但是,如果我使用执行查询规则的角度
卷曲-X POST的https:// URL'-H接受:应用/ JSON,纯文本/ * / *-H授权:基本a2someStuff'-H X-Atlassian的令牌:NOCHECK-H的User-Agent:Mozilla的/ 5.0(Linux的,是Android 5.0; Intellibook构建/ LRX21V)为AppleWebKit / 537.36(KHTML,例如Gecko)版本/ 4.0的Chrome / Safari浏览器37.0.0.0 / 537.36 -H内容类型:应用程序/ JSON--data二进制{转型:{ID:781}}'
创建。我已验证该卷曲正常工作如果对页眉的User-Agent 被删除即可。
是否有任何角度的可能性执行这样的操作?
修改
在这里产生请求的JS:
下面的配置部分:
.constant('ApiEndpoint',{
网址:'someUrl
})
的.config(['$ httpProvider',函数($ httpProvider){ $ httpProvider.defaults.headers.common ['X-Atlassian的令牌'] ='NOCHECK';
}])
下面的方法内容:
VAR POSTDATA ='{转型:{ID:'+转型+'}}';
$ HTTP({
网址:ApiEndpoint.url +号/+ issueKey +/过渡,
方法:POST,
数据:POSTDATA,
标题:{
内容类型:应用/ JSON
}
})。然后(功能(响应){
//一些东西
},
如果您想删除用户代理头做这样的:
的.config(['$ httpProvider',函数($ httpProvider){
删除$ httpProvider.defaults.headers.common ['的User-Agent'];
}]);
下面是关于跨站请求伪造(XSRF)保护一些信息对角 $ HTTP (请参阅安全注意事项部分)
XSRF是一种攻击技术,通过它,攻击者可以欺骗一个
身份验证的用户到您的网站上执行不知不觉行动。
角提供了一种机制来对抗XSRF。当执行XHR
请求,$ http服务读取cookie中的令牌(默认情况下,
XSRF令牌),并将其设置为HTTP标头(X-XSRF令牌)。由于只有
JavaScript的在您的域中运行可以读取cookie,你的服务器
可以放心的XHR从JavaScript来运行你的
域。标题不会为跨域请求进行设置。
要充分利用这一点,你的服务器需要设置一个令牌
第一个HTTP的JavaScript可读会话cookie叫XSRF-TOKEN
GET请求。在后续XHR请求的服务器可以验证该
饼干匹配的X XSRF-TOKEN HTTP头,因此可以肯定的说
只有JavaScript在域上运行才能发送请求。
该令牌必须为每个用户唯一的,必须是由核查
服务器(以prevent中的JavaScript从组成了自己的令牌)。我们
建议令牌是您网站的身份验证摘要
饼干为增加安全性的盐。
可以使用xsrfHeaderName指定的报头的名称和
在任$ httpProvider.defaults的xsrfCookieName性质
配置时,$ http.defaults在运行时,或者每个请求的配置
对象。
在为prevent碰撞的环境中多个角
应用程序共享同一个域或子域,我们建议每个
应用程序使用唯一的cookie名称。
xsrfHeaderName- {string}里 - HTTP头的名称与XSRF令牌来填充。xsrfCookieName- {string}里 - 名称包含XSRF令牌的Cookie$ HTTP({
网址:ApiEndpoint.url +号/+ issueKey +/过渡,
方法:POST,
数据:POSTDATA,
标题:{
内容类型:应用/ JSON
},
xsrfHeaderName:XSRF标头名',
xsrfCookieName:XSRF-Cookie的名称'
})I use Angular to make a call to Atlassian JIRA's REST API. Angular is used in the context of an ionic-framework app on a device.
A
curlascurl -X POST 'https://url' -H 'Accept: application/json, text/plain, */*' -H 'Authorization: Basic a2someStuff' -H 'Content-Type: application/json' --data-binary '{"transition": {"id": "761"}}'Works and produces the desired result.
However if I perform the query using regular angular
curl -X POST 'https://url' -H 'Accept: application/json, text/plain, */*' -H 'Authorization: Basic a2someStuff' -H 'X-Atlassian-Token: nocheck' -H 'User-Agent: Mozilla/5.0 (Linux; Android 5.0; Intellibook Build/LRX21V) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/37.0.0.0 Safari/537.36' -H 'Content-Type: application/json' --data-binary '{"transition": {"id": "781"}}'is created. I have verified that this curl works correctly if the Header for the
User-Agentis removed. Is there any possibility in angular to perform such an operation?edit
here the JS which generates the request:
Here the config section:
.constant('ApiEndpoint', { url: 'someUrl' }) .config(['$httpProvider', function ($httpProvider) { $httpProvider.defaults.headers.common['X-Atlassian-Token'] = 'nocheck'; }])Here the method contents:
var postData = '{"transition": {"id": "' + transition + '"}}'; $http({ url: ApiEndpoint.url + 'issue/' + issueKey + "/transitions", method: "POST", data: postData, headers: { 'Content-Type': 'application/json' } }).then(function (response) { //some stuff },
解决方案If you want to delete
User-Agentheader do it like:.config(['$httpProvider', function ($httpProvider) { delete $httpProvider.defaults.headers.common['User-Agent']; }]);Here is some info about Cross Site Request Forgery (XSRF) Protection for angular
$http(see Security Considerations section)XSRF is an attack technique by which the attacker can trick an authenticated user into unknowingly executing actions on your website. Angular provides a mechanism to counter XSRF. When performing XHR requests, the $http service reads a token from a cookie (by default, XSRF-TOKEN) and sets it as an HTTP header (X-XSRF-TOKEN). Since only JavaScript that runs on your domain could read the cookie, your server can be assured that the XHR came from JavaScript running on your domain. The header will not be set for cross-domain requests.
To take advantage of this, your server needs to set a token in a JavaScript readable session cookie called XSRF-TOKEN on the first HTTP GET request. On subsequent XHR requests the server can verify that the cookie matches X-XSRF-TOKEN HTTP header, and therefore be sure that only JavaScript running on your domain could have sent the request. The token must be unique for each user and must be verifiable by the server (to prevent the JavaScript from making up its own tokens). We recommend that the token is a digest of your site's authentication cookie with a salt for added security.
The name of the headers can be specified using the xsrfHeaderName and xsrfCookieName properties of either $httpProvider.defaults at config-time, $http.defaults at run-time, or the per-request config object.
In order to prevent collisions in environments where multiple Angular apps share the same domain or subdomain, we recommend that each application uses unique cookie name.
xsrfHeaderName– {string} – Name of HTTP header to populate with the XSRF token.xsrfCookieName– {string} – Name of cookie containing the XSRF token.$http({ url: ApiEndpoint.url + 'issue/' + issueKey + "/transitions", method: "POST", data: postData, headers: { 'Content-Type': 'application/json' }, xsrfHeaderName: 'XSRF-Header-Name', xsrfCookieName: 'XSRF-Cookie-Name' })
这篇关于奇怪的角度REST调用行为的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
