在 Servicestack 登录中禁用获取关键字 [英] Disable Get Keyword in Servicestack Login

问题描述

当前在 auth/login 中，您可以使用任何 Get.如何限制某些内置服务的 GET 关键字.我们有一个渗透测试结果，指出不应允许通过 Get 关键字进行身份验证/登录，而只能放置或发布.

Currently in auth/login, you can use any Get. How do I restrict GET keyword for certain built in services. We had a pentest finding stating that auth/login should not be allowed via the Get keyword but only put or post.

推荐答案

如果您指的是 HTTP GET 请求，您可以注册一个 全局请求过滤器 以短路Authenticate HTTP GET 请求:

If you're referring to HTTP GET requests, you can register a Global Request Filter to short-circuit Authenticate HTTP GET requests with:

GlobalRequestFilters.Add((req, res, requestDto) => {
    if (requestDto is Authenticate auth && req.Verb == HttpMethods.Get)
    {
        res.StatusCode = (int)HttpStatusCode.MethodNotAllowed;
        res.EndRequest();
    }
});

我还在 Authenticate 请求(对于非 OAuth 提供者)"nofollow noreferrer">此提交来自 v5.4.1+，现在可在 MyGet 上使用，可以通过以下方式重新启用:

I've also disabled GET Authenticate requests by default (for non OAuth Providers) in this commit from v5.4.1+ that's now available on MyGet, it can be re-enabled with:

Plugins.Add(new AuthFeature(...) {
    AllowGetAuthenticateRequests = req => true
});

这篇关于在 Servicestack 登录中禁用获取关键字的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！