在 Servicestack 登录中禁用获取关键字 [英] Disable Get Keyword in Servicestack Login
问题描述
当前在 auth/login 中,您可以使用任何 Get.如何限制某些内置服务的 GET 关键字.我们有一个渗透测试结果,指出不应允许通过 Get 关键字进行身份验证/登录,而只能放置或发布.
Currently in auth/login, you can use any Get. How do I restrict GET keyword for certain built in services. We had a pentest finding stating that auth/login should not be allowed via the Get keyword but only put or post.
推荐答案
如果您指的是 HTTP GET 请求,您可以注册一个 全局请求过滤器 以短路Authenticate
HTTP GET 请求:
If you're referring to HTTP GET requests, you can register a Global Request Filter to short-circuit Authenticate
HTTP GET requests with:
GlobalRequestFilters.Add((req, res, requestDto) => {
if (requestDto is Authenticate auth && req.Verb == HttpMethods.Get)
{
res.StatusCode = (int)HttpStatusCode.MethodNotAllowed;
res.EndRequest();
}
});
我还在 Authenticate 请求(对于非 OAuth 提供者)"nofollow noreferrer">此提交来自 v5.4.1+,现在可在 MyGet 上使用,可以通过以下方式重新启用:
I've also disabled GET Authenticate
requests by default (for non OAuth Providers) in this commit from v5.4.1+ that's now available on MyGet, it can be re-enabled with:
Plugins.Add(new AuthFeature(...) {
AllowGetAuthenticateRequests = req => true
});
这篇关于在 Servicestack 登录中禁用获取关键字的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!