Rails显示“警告:无法验证CSRF令牌真实性”来自RestKit POST [英] Rails shows "WARNING: Can't verify CSRF token authenticity" from a RestKit POST
问题描述
当我尝试从 RestKit 发布POST时,Rails控制台中会出现警告:
When I try to POST from RestKit, there is a warning in Rails console:
Started POST "/friends" for 127.0.0.1 at 2012-04-16 09:58:10 +0800
Processing by FriendsController#create as */*
Parameters: {"friend"=>{"myself_id"=>"m001", "friend_id"=>"f001"}}
WARNING: Can't verify CSRF token authenticity
(0.1ms) BEGIN
SQL (1.7ms) INSERT INTO `friends` (`friend_id`, `myself_id`) VALUES ('f001', 'm001')
(1.1ms) COMMIT
Redirected to http://127.0.0.1:3000/friends/8
Completed 302 Found in 6ms (ActiveRecord: 3.0ms)
这是客户端代码:
NSMutableDictionary *attributes = [[NSMutableDictionary alloc] init];
[attributes setObject: @"f001" forKey: @"friend_id"];
[attributes setObject: @"m001" forKey: @"myself_id"];
NSMutableDictionary *params = [NSMutableDictionary dictionaryWithObject:attributes forKey:@"friend"];
[[RKClient sharedClient] post:@"/friends" params:params delegate:self];
如何摆脱警告?
推荐答案
您可以使用以下方法安全地删除警告:
You can safely remove the warnings with the following:
skip_before_filter :verify_authenticity_token
这应该进入每个Rails API控制器你有,或者你有一个 base_controller 所有API控制器,然后把它放在那里。
This should go into every Rails API controller that you have, or if you have a base_controller for all API controllers then put it there.
如果您还可以通过网络浏览器访问您的应用,那么请不要将此行放在 application_controller 中将会创建一个安全漏洞。
If you can also access your app through a web browser then do not put this line in the application_controller as you will be creating a security vulnerability.
对于API调用,可以安全删除 csrf ,因为特定漏洞只能通过网络浏览器执行。
It is safe to remove csrf for API calls as the particular vulnerability can only be executed through a web browser.
2013年12月16日更新
我'已经看到了这个答案的一些链接和一些其他内容,表明澄清。如果您使用基于Web的身份验证方法来验证API,则API可能容易受到CSRF的攻击 - 例如会话或cookies。
I've seen some links to this answer and some other content which suggests a clarification. An API may be vulnerable to CSRF if you use web based authentication methods to authenticate the API - e.g. sessions or cookies.
我的建议仍然代表用户RestKit用户凭据不太可能基于会话或cookie,而是基于用户名或API密钥。
My advice still stands for users of RestKit as user credentials are unlikely to be based on sessions or cookies but rather usernames or api keys.
如果您的API可以通过会话或cookie进行身份验证,那么您应该避免跳过:verify_authenticity_token 您应该考虑转移到基于api密钥的身份验证。
If your API can be authenticated with session or cookies then you should avoid skipping : verify_authenticity_token and you should think about moving to api key based authentication.
如果您的API可以使用用户名和密码进行身份验证这也用于在网络上进行身份验证仍有潜在的漏洞,虽然它不太严重,因为它要求用户在访问具有漏洞的网站时在HTTP Auth挑战框中输入他们的用户名和密码到您的网站。同样,为了获得最佳安全性,您应该考虑转向基于api密钥的身份验证。
If your API can be authenticated with a username and password that is also used to authenticate on the web there is still a potential exploit, although it is less serious as it would require the user to type in their username and password to your site in the HTTP Auth challenge box while visiting the site with the exploit. Again, for the best security you should think about moving to api key based authentication.
值得注意的是,我不同意您需要添加:only => [:your_method] 以获得额外的保护,只要您拥有隔离的api控制器,您的api不会与您的网络响应混合,并且您没有使用会话或cookie。如果这些已经到位,您可以安全地将 skip_before_filter 添加到您的api的 base_controller 中。
It's worth noting that I don't agree that you need to add :only => [:your_method] for additional protection, provided that you have isolated api controllers, your api is not mixed with your web responses and you are not using session or cookies. If these are in place you can safely add the skip_before_filter into a base_controller for your api.
这篇关于Rails显示“警告:无法验证CSRF令牌真实性”来自RestKit POST的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
