REST和Slim 3:为什么使用post方法无法进行CSRF检查? [英] REST and Slim 3 : why CSRF check failed with post method?

问题描述

我想在使用Slim3创建的Web应用程序上添加具有REST API的用户.我在应用程序上使用相同的路由来添加用户，并且可以正常工作.但是由于另一个网站，由于CSRF检查失败，我通过ajax请求发出"400错误请求".在此请求之前，我执行GET方法以获取CSRF令牌并使用CSRF令牌数据构建隐藏的输入.然后我在POST方法中提供了CSRF令牌，但是它不起作用...我不明白.

I want to add a user with REST API on a web application created with Slim3. I use the same route on application to add a user and it's works. But by an ajax request since an other website I have "400 bad request" because of CSRF check failed. Before this request I do a GET method to get CSRF token and build hidden input with CSRF token data. Then I give CSRF token at POST method but it doesn't work... I don't understand.

谢谢.

Ajax获取方法:

$.get("https://extranet.exemple.fr/api/token", {})
            .done(function (data, text, jqxhr) {
                if (data.success === true) {
                    $("#csrf_name").val(data.csrf.csrf_name);
                    $("#csrf_value").val(data.csrf.csrf_value);
                }
            })
            .fail(function (jqxhr) {})
            .always(function () {});
            });

Ajax POST:

Ajax POST :

var csrfname = $("#csrf_name").val();
var csrfvalue = $("#csrf_value").val();
var objajaxargs = {
                    dataUser: dataUser,
                    csrf_name: csrfname,
                    csrf_value: csrfvalue,
                };
                $.post("https://extranet.exemple.fr/user/add", objajaxargs)
                    .done(function (data, text, jqxhr) {
                        if (data.success === true) {
                            alert("success");
                        }
                    })
                    .fail(function (jqxhr) {})
                    .always(function () {});

在我的容器中

$container["csrf"] = function ($container) {
    return new \Slim\Csrf\Guard();
};

苗条的GET方法

$app->get('/api/token', function (\Slim\Http\Request $request, \Slim\Http\Response $response, $args) use ($app) {

$container = $app->getContainer();
// Generate new token and update request
$request = $container->csrf->generateNewToken($request);
// Build Header Token
$nameKey = $container->csrf->getTokenNameKey();
$valueKey = $container->csrf->getTokenValueKey();
$name = $request->getAttribute($nameKey);
$value = $request->getAttribute($valueKey);
$tokenArray = [
    $nameKey => $name,
    $valueKey => $value
];

$respCSRF["success"] = false;
if (!empty($tokenArray)) {
    $respCSRF["success"] = true;
    $respCSRF["csrf"] = $tokenArray;
}

return $response->withJson($respCSRF);});

苗条POST方法

$app->post("/user/add", function (\Slim\Http\Request $request, \Slim\Http\Response $response, $args) use ($app) {

$container = $app->getContainer();
$objBody = $request->getParsedBody();
$objUser = new \App\Models\UserModel($container);

foreach ($objBody["dataUser"] as $key => $value) {
    $objAdherent->$key = $value;
}

$arrJsonResponse = ["success" => false];

if (filter_var($objUser->mail, FILTER_VALIDATE_EMAIL) !== false) {
    $infosAdd = $objUser->addUser();
    if ($infosAdd !== false) {
        $arrJsonResponse["success"] = true;
        return $response->withJson($arrJsonResponse)->withStatus(201);
    }
} 

return $response->withJson($arrJsonResponse)->withStatus(400);});

推荐答案

我解决了我的问题.我将csrf令牌持久性设置为true，并且可以正常工作！

I resolve my problem. I set csrf token persistence at true and it's works!

解决方案:

 /**
 * Init CSRF
 * @return \Slim\Csrf\Guard
 */
$container["csrf"] = function ($container) {
    $guard = new \Slim\Csrf\Guard();
    $guard->setPersistentTokenMode(true);
    return $guard;
};

这篇关于REST和Slim 3:为什么使用post方法无法进行CSRF检查?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！