如何确保Rails的API是从CSRF保护？ [英] How to make sure Rails API is secured from CSRF?

问题描述

我一直在发展与REST API Rails应用程序从移动应用程序访问。

I've been developing Rails app with REST API for access from mobile application.

它工作得很好。当用户从移动应用程序登录，他得到的auth_token ，他在他未来的API请求使用。问题是，API也从网络访问转至路径/ API / V1 / ......正因为如此，它必须得到保护，免受CSRF。

It works quite well. When user logs in from mobile application, he gets auth_token that he uses in his future requests to API. The issue is that API is also accessible from web by going to path /api/v1/... and because of this, it has to be protected from CSRF.

我 BaseApiController 有类从的ApplicationController 继承 protect_from_forgery 已启用。这里的例子：

I have BaseApiController class which inherits from ApplicationController that has protect_from_forgery "enabled". Here's example:

class Api::V1::BaseApiController < ApplicationController
  # ...
end

class ApplicationController < ActionController::Base
  protect_from_forgery
  # ...
end

现在，当我做非GET请求我的API，以的auth_token ，我的请求被成功完成，但在日志中我可以看到著名的警告：无法验证令牌CSRF真实性。如果我删除 protect_from_forgery 从我 BaseApiController ，我没有得到任何警告（明显），但后来我的API是容易受到CSRF攻击（我做了一个简单的HTML表单，成功地改变了跨域数据时没有 protect_from_forgery ）。

Now, when I do non-GET requests to my API, with auth_token, my request gets completed successfully, but in the logs I can see the famous WARNING: Can't verify CSRF token authenticity. If I remove protect_from_forgery from my BaseApiController, I don't get any warnings (obviously), but then my API is vulnerable to CSRF attacks (I made a simple HTML form that successfully changes the data across domains when there's no protect_from_forgery).

我的问题是：如何保证我的API能够保证安全，而且还删除警告时做非GET请求

My question is: How to assure my API stays secure, but also remove the warning when doing non-GET requests?

下面是我想出来的解决方案之一，但它看起来更像是一个黑客，并执行一个额外的数据库查询：

Here's one of the solutions I've come up with, but it looks more like a hack and executes one extra DB query:

class Api::V1::BaseApiController < ApplicationController
  # ...
  def verified_request?
    super || User.where(authentication_token: params['auth_token']).count > 0
  end
end

有关项目的更多细节：Rails的3.2.14，设计，AngularJS。该项目的源代码code可以发现这里。

推荐答案

您可能会看到人建议CSRF不是API请求的问题（没有国家，首先，这样还有什么可无论如何劫持？）所以一些建议以下简单地消除警告：

You may see people suggest that CSRF is not an issue for API requests (there is no state to begin with, so what is there to hijack anyhow?), so some suggest the following to simply eliminate the warning:

skip_before_filter :verify_authenticity_token, :only => [:your_method]

不过，有一些评论，有可能犯CSRF与文本/纯使用各种Flash和基于Java的方法。我相信，在轨而回用于安全修补程序的原因：的http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails/

However, there was some commentary that it is possible to commit CSRF with text/plain using various Flash and Java-based methods. I believe that was the reason for the security patch in rails a while back: http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails/

在任何情况下，实际检查的真实性令牌一个很好的解决方案可以在这里找到：<一href=\"http://stackoverflow.com/questions/7203304/warning-cant-verify-csrf-token-authenticity-rails\">WARNING:无法验证令牌CSRF真实性轨

In any event, a good solution that actually checks for an authenticity token can be found here: WARNING: Can't verify CSRF token authenticity rails

这涉及实际设置的头球您的要求。

It involves actually setting the header in your request.

祝你好运！

这篇关于如何确保Rails的API是从CSRF保护？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！