Rails,设计身份验证,CSRF 问题 [英] Rails, Devise authentication, CSRF issue

查看:29
本文介绍了Rails,设计身份验证,CSRF 问题的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在使用 Rails 做一个单页应用程序.登录和退出时,使用 ajax 调用设计控制器.我遇到的问题是,当我 1) 登录 2) 退出然后再次登录时不起作用.

I'm doing a singe-page application using Rails. When signing in and out Devise controllers are invoked using ajax. The problem I'm getting is that when I 1) sign in 2) sign out then signing in again doesn't work.

我认为这与我退出时重置的 CSRF 令牌有关(尽管它不应该是单页),并且由于它是单页,旧的 CSRF 令牌是在 xhr 请求中发送的,因此重置了会话.

I think it's related to CSRF token which gets reset when I sign out (though it shouldn't afaik) and since it's single page, the old CSRF token is being sent in xhr request thus resetting the session.

更具体地说,这是工作流程:

To be more concrete this is the workflow:

  1. 登录
  2. 退出
  3. 登录(成功 201.但是在服务器日志中打印WARNING: Can't verify CSRF token真实性)
  4. 后续 ajax 请求失败 401 未经授权
  5. 刷新网站(此时,页面标题中的 CSRF 更改为其他内容)
  6. 我可以登录,一切正常,直到我尝试退出并再次登录.

非常感谢任何线索!如果我可以添加更多详细信息,请告诉我.

Any clues very much appreciated! Let me know if I can add any more details.

推荐答案

Jimbo 出色地解释了您遇到的问题背后的原因".您可以采用两种方法来解决此问题:

Jimbo did an awesome job explaining the "why" behind the issue you're running into. There are two approaches you can take to resolve the issue:

  1. (由 Jimbo 推荐)覆盖 Devise::SessionsController 以返回新的 csrf-token:

  1. (As recommended by Jimbo) Override Devise::SessionsController to return the new csrf-token:

class SessionsController < Devise::SessionsController
  def destroy # Assumes only JSON requests
    signed_out = (Devise.sign_out_all_scopes ? sign_out : sign_out(resource_name))
    render :json => {
        'csrfParam' => request_forgery_protection_token,
        'csrfToken' => form_authenticity_token
    }
  end
end

并在客户端为您的 sign_out 请求创建一个成功处理程序(可能需要根据您的设置进行一些调整,例如 GET 与 DELETE):

And create a success handler for your sign_out request on the client side (likely needs some tweaks based on your setup, e.g. GET vs DELETE):

signOut: function() {
  var params = {
    dataType: "json",
    type: "GET",
    url: this.urlRoot + "/sign_out.json"
  };
  var self = this;
  return $.ajax(params).done(function(data) {
    self.set("csrf-token", data.csrfToken);
    self.unset("user");
  });
}

这还假设您在所有 AJAX 请求中自动包含 CSRF 令牌,如下所示:

This also assumes you're including the CSRF token automatically with all AJAX requests with something like this:

$(document).ajaxSend(function (e, xhr, options) {
  xhr.setRequestHeader("X-CSRF-Token", MyApp.session.get("csrf-token"));
});

  • 更简单,如果它适合您的应用程序,您可以简单地覆盖 Devise::SessionsController 并使用 skip_before_filter :verify_authenticity_token 覆盖令牌检查.

  • Much more simply, if it is appropriate for your application, you can simply override the Devise::SessionsController and override the token check with skip_before_filter :verify_authenticity_token.

    这篇关于Rails,设计身份验证,CSRF 问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

  • 查看全文
    登录 关闭
    扫码关注1秒登录
    发送“验证码”获取 | 15天全站免登陆