Rails 显示“警告:无法验证 CSRF 令牌的真实性"；来自 RestKit POST [英] Rails shows "WARNING: Can't verify CSRF token authenticity" from a RestKit POST

问题描述

当我尝试从 RestKit POST 时，Rails 控制台中出现警告:

When I try to POST from RestKit, there is a warning in Rails console:

Started POST "/friends" for 127.0.0.1 at 2012-04-16 09:58:10 +0800
Processing by FriendsController#create as */*
Parameters: {"friend"=>{"myself_id"=>"m001", "friend_id"=>"f001"}}
WARNING: Can't verify CSRF token authenticity
(0.1ms)  BEGIN
SQL (1.7ms)  INSERT INTO `friends` (`friend_id`, `myself_id`) VALUES ('f001', 'm001')
(1.1ms)  COMMIT
Redirected to http://127.0.0.1:3000/friends/8
Completed 302 Found in 6ms (ActiveRecord: 3.0ms)

这是客户端代码:

NSMutableDictionary *attributes = [[NSMutableDictionary alloc] init];
[attributes setObject: @"f001" forKey: @"friend_id"];
[attributes setObject: @"m001" forKey: @"myself_id"];
NSMutableDictionary *params = [NSMutableDictionary dictionaryWithObject:attributes forKey:@"friend"];
[[RKClient sharedClient] post:@"/friends" params:params delegate:self];

我怎样才能摆脱警告?

推荐答案

您可以通过以下方式安全地删除警告:

You can safely remove the warnings with the following:

skip_before_filter  :verify_authenticity_token

这应该包含在您拥有的每个 Rails API 控制器中，或者如果您有所有 API 控制器的 base_controller，则将其放在那里.

This should go into every Rails API controller that you have, or if you have a base_controller for all API controllers then put it there.

如果您也可以通过网络浏览器访问您的应用，请不要将此行放在 application_controller 中，因为这会造成安全漏洞.

If you can also access your app through a web browser then do not put this line in the application_controller as you will be creating a security vulnerability.

删除 API 调用的 csrf 是安全的，因为特定漏洞只能通过网络浏览器执行.

It is safe to remove csrf for API calls as the particular vulnerability can only be executed through a web browser.

2013 年 12 月 16 日更新

我看到了一些指向此答案的链接以及一些其他建议澄清的内容.如果您使用基于 Web 的身份验证方法对 API 进行身份验证，则 API 可能容易受到 CSRF 的影响 - 例如会话或 cookie.

I've seen some links to this answer and some other content which suggests a clarification. An API may be vulnerable to CSRF if you use web based authentication methods to authenticate the API - e.g. sessions or cookies.

您的 Web API 是否容易受到攻击?CSRF 漏洞利用?.

我的建议仍然适用于 RestKit 用户，因为用户凭据不太可能基于会话或 cookie，而是基于用户名或 API 密钥.

My advice still stands for users of RestKit as user credentials are unlikely to be based on sessions or cookies but rather usernames or api keys.

如果您的 API 可以使用会话或 cookie 进行身份验证，那么您应该避免跳过 : verify_authenticity_token 并且您应该考虑转向基于 api 密钥的身份验证.

If your API can be authenticated with session or cookies then you should avoid skipping : verify_authenticity_token and you should think about moving to api key based authentication.

如果您的 API 可以使用也用于在网络上进行身份验证的用户名和密码进行身份验证，那么仍然存在潜在的漏洞利用，尽管它不那么严重，因为它需要用户将他们的用户名和密码输入到您的访问带有漏洞的站点时，在 HTTP 身份验证挑战框中的站点.同样，为了获得最佳安全性，您应该考虑转向基于 api 密钥的身份验证.

If your API can be authenticated with a username and password that is also used to authenticate on the web there is still a potential exploit, although it is less serious as it would require the user to type in their username and password to your site in the HTTP Auth challenge box while visiting the site with the exploit. Again, for the best security you should think about moving to api key based authentication.

值得注意的是，我不同意您需要添加 :only =>[:your_method] 提供额外保护，前提是您有隔离的 api 控制器，您的 api 不会与您的网络响应混合，并且您没有使用会话或 cookie.如果这些都准备好了，您可以安全地将 skip_before_filter 添加到您的 API 的 base_controller 中.

It's worth noting that I don't agree that you need to add :only => [:your_method] for additional protection, provided that you have isolated api controllers, your api is not mixed with your web responses and you are not using session or cookies. If these are in place you can safely add the skip_before_filter into a base_controller for your api.

这篇关于Rails 显示“警告:无法验证 CSRF 令牌的真实性"；来自 RestKit POST的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！