如何使用环防伪造/ CSRF令牌与最新版本ring / compojure? [英] How can I use ring anti-forgery / CSRF token with latest version ring/compojure?
问题描述
我复制了一些旧的代码,在compojure 1.1.18和其他旧的libs,但使用最新版本,我无法得到它的工作。
I copied some old code that was working in compojure 1.1.18 and other old libs, but using the latest versions I can't get it to work.
以下是从最低示例代码 / set-ring-anti-forgery-csrf-header-token>这里的最小示例来演示使用最新的ring和compojure库,当我发送一个http POST
,即使设置了标头。
Here's my minimal example code copied from the minimal example here to demonstrate that with latest ring and compojure libraries, I get an error when I send an http POST
, even with the header set.
lein环服务器
do
curl -X GET --cookie-jar cookieshttp:// localhost:3000 /
会产生类似这样的结果:
curl -X GET --cookie-jar cookies "http://localhost:3000/"
which results in something like this:
{"csrf-token":"7JnNbzx8BNG/kAeH4bz1jDdGc7zPC4TddDyiyPGX3jmpVilhyXJ7AOjfJgeQllGthFeVS/rgG4GpkUaF"}
但是当我这样做
curl -X POST -v --cookie cookies -F "email=someone@gmail.com" --header "X-CSRF-Token: 7JnNbzx8BNG/kAeH4bz1jDdGc7zPC4TddDyiyPGX3jmpVilhyXJ7AOjfJgeQllGthFeVS/rgG4GpkUaF" http://localhost:3000/send
我得到< h1>无效的防伪令牌< / h1>
我做错了什么?
我借的代码打算回答此问题。
推荐答案
问题是 ring-defaults
c $ c>命令空间在compojure> = 1.2)自动使用通常使用模式下的反伪造
:
The problem was that ring-defaults
(which replaces the compojure.handler
namespace in compojure >= 1.2) automatically uses ring anti-forgery
in the usual mode of use:
(defroutes app-routes
(GET "/" [] (generate-string {:csrf-token
*anti-forgery-token*}))
(POST "/send" [email] "ok")
(resources "/")
(not-found "Not Found"))
(def app
(-> app-routes
(wrap-defaults site-defaults)))
伪造令牌正在生成, GET
请求提供了无效的令牌。删除 wrap-anti-forgery
行修复了该问题。
So two anti-forgery tokens were being generated and the GET
request provided the invalid one. Removing the wrap-anti-forgery
line fixed the problem.
这篇关于如何使用环防伪造/ CSRF令牌与最新版本ring / compojure?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!