Rails:发出 POST 请求时无法验证 CSRF 令牌的真实性 [英] Rails: Can't verify CSRF token authenticity when making a POST request

问题描述

我想向我的本地开发人员发出 POST 请求，如下所示:

I want to make POST request to my local dev, like this:

  HTTParty.post('http://localhost:3000/fetch_heroku',
                :body => {:type => 'product'},)

但是，它从服务器控制台报告

However, from the server console it reports

Started POST "/fetch_heroku" for 127.0.0.1 at 2016-02-03 23:33:39 +0800
  ActiveRecord::SchemaMigration Load (0.0ms)  SELECT "schema_migrations".* FROM "schema_migrations"
Processing by AdminController#fetch_heroku as */*
  Parameters: {"type"=>"product"}
Can't verify CSRF token authenticity
Completed 422 Unprocessable Entity in 1ms

这是我的控制器和路由设置，非常简单.

Here is my controller and routes setup, it's quite simple.

  def fetch_heroku
    if params[:type] == 'product'
      flash[:alert] = 'Fetch Product From Heroku'
      Heroku.get_product
    end
  end

  post 'fetch_heroku' => 'admin#fetch_heroku'

我不确定我需要做什么?关闭CSRF当然可以，但我认为创建这样的API时应该是我的错误.

I'm not sure what I need to do? To turn off the CSRF would certainly work, but I think it should be my mistake when creating such an API.

我还需要做其他设置吗?

Is there any other setup I need to do?

推荐答案

跨站点请求伪造 (CSRF/XSRF) 是指恶意网页通过使用书签、iframe 或只需创建一个视觉上足够相似的页面来欺骗用户.

Cross site request forgery (CSRF/XSRF) is when a malicious web page tricks users into performing a request that is not intended for example by using bookmarklets, iframes or just by creating a page which is visually similar enough to fool users.

Rails CSRF 保护是为经典"网络应用程序 - 它只是提供一定程度的保证，即请求源自您自己的网络应用程序.CSRF 令牌就像一个只有你的服务器知道的秘密——Rails 生成一个随机令牌并将其存储在会话中.您的表单通过隐藏输入发送令牌，Rails 会验证任何非 GET 请求是否包含与会话中存储的内容相匹配的令牌.

The Rails CSRF protection is made for "classical" web apps - it simply gives a degree of assurance that the request originated from your own web app. A CSRF token works like a secret that only your server knows - Rails generates a random token and stores it in the session. Your forms send the token via a hidden input and Rails verifies that any non GET request includes a token that matches what is stored in the session.

然而，根据定义，API 通常是跨站点的，并且不仅仅用于您的 Web 应用程序，这意味着 CSRF 的整个概念并不完全适用.

However an API is usually by definition cross site and meant to be used in more than your web app, which means that the whole concept of CSRF does not quite apply.

相反，您应该使用基于令牌的策略，通过 API 密钥和密钥对 API 请求进行身份验证，因为您要验证请求来自已批准的 API 客户端，而不是来自您自己的应用.

Instead you should use a token based strategy of authenticating API requests with an API key and secret since you are verifying that the request comes from an approved API client - not from your own app.

如@dcestari 所指出的，您可以停用 CSRF:

You can deactivate CSRF as pointed out by @dcestari:

class ApiController < ActionController::Base
  protect_from_forgery with: :null_session
end

已更新.在 Rails 5 中，您可以使用 --api 选项生成仅 API 的应用程序:

Updated. In Rails 5 you can generate API only applications by using the --api option:

rails new appname --api

它们不包括 CSRF 中间件和许多其他多余的组件.

They do not include the CSRF middleware and many other components that are superflouus.

• http://guides.rubyonrails.org/security.html#cross-site-request-forgery-csrf
• https://labs.kollegorna.se/blog/2015/04/build-an-api-now/
• 警告:无法验证 CSRF 令牌真实性导轨

这篇关于Rails:发出 POST 请求时无法验证 CSRF 令牌的真实性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！