axios删除方法给出了403 [英] axios delete method gives 403

问题描述

我正在从我的node-js应用程序中调用delete方法.

I am calling delete method from my node-js application.

它在Postman上工作正常，但在调用此API时给了我403来自代码.

Its working fine from Postman but giving me 403 while calling this API from code.

下面是我的示例代码片段:

Below is my sample code snippet:

const instance = axios.create();
instance.interceptors.request.use((config) => {
    config.baseURL = 'https://test-dev.com/api/portfolio'
    config.headers = { 'Authorization' : 'Bearer ' + <TOKEN>}
    return config;
});
instance.delete('/admin?users=<VALUE>').then(function(response) {
    console.log("Deleted: "+<VALUE>);
}).catch(function (error) {
    console.log("Deletion failed with error:" + error);
});

响应(来自Spring Security APP):

Response (Coming from spring security APP):

由于未找到您的会话，因此无法验证提供的CSRF令牌

Could not verify the provided CSRF token because your session was not found

我认为这已经由axios处理.

I thought this is already handled by axios.

在调用delete方法时如何在标头中传递此值?

How can i pass this value in headers while calling delete method?

有帮助吗?

推荐答案

您可以:

1-使用withCredentials属性:

withCredentials: true

如此:

axios.delete({
    url: 'https://test-dev.com/api/portfolio/admin?users=' + <VALUE>,
    headers: { 'Authorization' : 'Bearer ' + <TOKEN>},
    withCredentials: true
}).then(function(response) {
    console.log("Deleted: "+<VALUE>);
}).catch(function (error) {
    console.log("Deletion failed with error:" + error);
});

XMLHttpRequest.withCredentials属性是一个布尔值，指示是否应进行跨站点访问控制请求使用Cookie，授权标头或TLS等凭证进行客户证书.设置withCredentials不会影响同一站点的请求.

The XMLHttpRequest.withCredentials property is a Boolean that indicates whether or not cross-site Access-Control requests should be made using credentials such as cookies, authorization headers or TLS client certificates. Setting withCredentials has no effect on same-site requests.

2-设置CSRF标头

要么:

headers: {'X-Requested-With': 'XMLHttpRequest',
'X-CSRF-TOKEN' : document.querySelector('meta[name="csrf-token"]').getAttribute('content')}

或

headers: {'X-Requested-With': 'XMLHttpRequest',
         'X-CSRFToken': 'your token here'}

或者只是:

headers: {'X-Requested-With': 'XMLHttpRequest'}

3-禁用风险自负，

看看 查看全文