如何使用 axios 发送授权标头 [英] How to send authorization header with axios

问题描述

如何通过 axios.js 发送带有令牌的身份验证标头?我尝试了一些没有成功的事情，例如:

How can I send an authentication header with a token via axios.js? I have tried a few things without success, for example:

const header = `Authorization: Bearer ${token}`;
return axios.get(URLConstants.USER_URL, { headers: { header } });

给我这个错误:

XMLHttpRequest cannot load http://localhost:8000/accounts/user/. Request header field header is not allowed by Access-Control-Allow-Headers in preflight response.

我已经通过设置全局默认值设法让它工作，但我猜这不是单个请求的最佳主意:

I have managed to get it work by setting global default, but I'm guessing this is not the best idea for a single request:

axios.defaults.headers.common['Authorization'] = `Bearer ${token}`;

更新:

Cole 的回答帮助我找到了问题所在.我正在使用 django-cors-headers 中间件，默认情况下它已经处理了授权标头.

Cole's answer helped me find the problem. I am using django-cors-headers middleware which already handles authorization header by default.

但我能够理解错误消息并修复了我的 axios 请求代码中的错误，它应该如下所示

But I was able to understand the error message and fixed an error in my axios request code, which should look like this

return axios.get(URLConstants.USER_URL, { headers: { Authorization: `Bearer ${data.token}` } });

推荐答案

对于非简单的 http 请求，您的浏览器将首先发送预检"请求(OPTIONS 方法请求)，以确定相关站点认为安全的内容要发送的信息(请参阅此处了解跨源关于此的政策规范).主机可以在预检响应中设置的相关标头之一是 Access-Control-Allow-Headers.如果您要发送的任何标头未在规范的白名单标头列表或服务器的预检响应中列出，则浏览器将拒绝发送您的请求.

On non-simple http requests your browser will send a "preflight" request (an OPTIONS method request) first in order to determine what the site in question considers safe information to send (see here for the cross-origin policy spec about this). One of the relevant headers that the host can set in a preflight response is Access-Control-Allow-Headers. If any of the headers you want to send were not listed in either the spec's list of whitelisted headers or the server's preflight response, then the browser will refuse to send your request.

在您的情况下，您正在尝试发送 Authorization 标头，这不被认为是普遍安全的发送标头之一.然后浏览器发送一个预检请求，询问服务器是否应该发送该标头.服务器要么发送一个空的 Access-Control-Allow-Headers 标头(这被认为意味着不允许任何额外的标头")，或者它正在发送一个不包含 Authorization 在其允许的标题列表中.因此，浏览器不会发送您的请求，而是选择通过抛出错误来通知您.

In your case, you're trying to send an Authorization header, which is not considered one of the universally safe to send headers. The browser then sends a preflight request to ask the server whether it should send that header. The server is either sending an empty Access-Control-Allow-Headers header (which is considered to mean "don't allow any extra headers") or it's sending a header which doesn't include Authorization in its list of allowed headers. Because of this, the browser is not going to send your request and instead chooses to notify you by throwing an error.

您发现任何允许您发送此请求的 Javascript 解决方法都应该被视为错误，因为它违反了您的浏览器为了您自己的安全而试图强制执行的跨源请求策略.

Any Javascript workaround you find that lets you send this request anyways should be considered a bug as it is against the cross origin request policy your browser is trying to enforce for your own safety.

tl;dr - 如果您想发送 Authorization 标头，您的服务器最好配置为允许它.设置您的服务器，使其使用 Access-Control-Allow-Headers: Authorization 标头响应该 url 上的 OPTIONS 请求.

tl;dr - If you'd like to send Authorization headers, your server had better be configured to allow it. Set your server up so it responds to an OPTIONS request at that url with an Access-Control-Allow-Headers: Authorization header.

这篇关于如何使用 axios 发送授权标头的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！