【问题标题】:mismatching_state: CSRF Warning! State not equal in request and response in fastapimismatching_state:CSRF 警告! fastapi中请求和响应的状态不相等
【发布时间】:2021-11-14 20:42:08
【问题描述】:

我正在尝试将 gitlab 集成到我的 fastapi 项目中,但是,这个问题让我很生气。我正在使用 authlib。 gitlab 集成的过程是当用户点击连接按钮时,会弹出 gitlab 授权窗口,当点击授权按钮时,它会运行 redirect_url,这是我的 api url(http://localhost:8888/auth/gitlab?code=asdkjfasdjfkasdjkfasjdkjlsadajk&state=_gitlab)。这是代码

if settings.BACKEND_CORS_ORIGINS:
    app.add_middleware(SessionMiddleware, secret_key=settings.SECRET_KEY)
    app.add_middleware(
        CORSMiddleware,
        allow_origins=[str(origin) for origin in settings.BACKEND_CORS_ORIGINS],
        allow_credentials=True,
        allow_methods=["*"],
        allow_headers=["*"],
    )

config = Config(".env")
oauth = OAuth(config)
oauth.register(
    name="gitlab",
    client_id=settings.GITLAB_CLIENT_ID,
    client_secret=settings.GITLAB_CLIENT_SECRET,
    authorize_url="https://gitlab.com/oauth/authorize",
    client_kwargs={"scope": "read_user+profile"},
)

@app.get("/auth/gitlab")
async def auth_gitlab(request: Request):
    print("###################")
    print("request", request, request.session)
    # {'_gitlab_authlib_redirect_uri_': 'http://localhost:8888/auth/gitlab'}
    gitlab = oauth.create_client("gitlab")
    try:
        token = await gitlab.authorize_access_token(request)
        print("token", token)
        user = await gitlab.parse_id_token(request, token)
        print("user", dict(user))
        return {"token": token}
    except OAuthError as error:
        print("oauth error", error, error.error)

我的弹出窗口的 oauth url 是

const oauthUrl = `${GITLAB_URL}/oauth/authorize?client_id=${client_id}&response_type=code&scope=${scope}&state=${
          state + '_gitlab'
        }&redirect_uri=${redirect_uri}&allow_signup=${allow_signup}`

我同时使用了 0.15.4 和 1.0.0a2 版本的 Authlib,但仍然遇到同样的问题。

更新: 我的 /auth/gitlab 的 request.session 看起来像

{'_state_gitlab_WiBjFgSNd5BV1A7hlDHX0': {'data': {'redirect_uri': 'http://localhost:8888/auth/gitlab', 'url': 'https://gitlab.com/oauth/authorize?response_type=code&client_id=e2dc9edc72dbcf5524910eca1d0577473b6005a833c97&redirect_uri=http%3A%2F%2Flocalhost%3A8888%2Fauth%2Fgitlab&scope=read_user%2Bprofile&state=WiBjFgSNd5BV1A7hlDHX0'}, 'exp': 1632275167.3455658}, '_state_gitlab_3YUfQJ4ubbNjErkqY4dJ7ZQMzzmCqt': {'data': {'redirect_uri': 'http://localhost:8888/auth/gitlab', 'url': 'https://gitlab.com/oauth/authorize?response_type=code&client_id=e2dc9edc72dbcf5524910eca1d0577473b6005a833c97&redirect_uri=http%3A%2F%2Flocalhost%3A8888%2Fauth%2Fgitlab&scope=read_user%2Bprofile&state=3YUfQJ4ubbNjErkqY4dJ7ZQMzzmCqt'}, 'exp': 1632275280.9188702}, '_state_gitlab_S3OQ93EDvralFGYiu5HxRWxUMWZFQh': {'data': {'redirect_uri': 'http://localhost:8888/auth/gitlab', 'url': 'https://gitlab.com/oauth/authorize?response_type=code&client_id=e2dc9edc72dbcf5524910eca1d0577473b6005a833c97&redirect_uri=http%3A%2F%2Flocalhost%3A8888%2Fauth%2Fgitlab&scope=read_user%2Bprofile&state=S3OQ93EDvralFGYiu5HxRWxUMWZFQh'}, 'exp': 1632275404.760191}, '_state_gitlab_vImiUiWK4VIUL82PywWlIZ1K9yA5Ss': {'data': {'redirect_uri': 'http://localhost:8888/auth/gitlab', 'url': 'https://gitlab.com/oauth/authorize?response_type=code&client_id=e2dc9edc72dbcf5524910eca1d0577473b6005a833c97&redirect_uri=http%3A%2F%2Flocalhost%3A8888%2Fauth%2Fgitlab&scope=read_user%2Bprofile&state=vImiUiWK4VIUL82PywWlIZ1K9yA5Ss'}, 'exp': 1632275509.933466}}

当我将 oauth_url 更改为弹出窗口时

const oauthUrl = `${GITLAB_URL}/oauth/authorize?client_id=${client_id}&response_type=code&scope=${scope}&state=${
          state + 'WiBjFgSNd5BV1A7hlDHX0'
        }&redirect_uri=${redirect_uri}&allow_signup=${allow_signup}`

我得到 python TypeError: Invalid type for url. Expected str or httpx.URL, got <class 'NoneType'>: None

【问题讨论】:

    标签: python python-3.x gitlab fastapi authlib


    【解决方案1】:

    对我来说,问题是 SessionMiddleware 选项上的 https_only 参数。 只有当我将其设置为 True 时它才有效。

    【讨论】:

      猜你喜欢
      • 1970-01-01
      • 2020-09-07
      • 2020-12-04
      • 2021-12-06
      • 2018-11-29
      • 1970-01-01
      • 2012-03-01
      • 2015-05-28
      • 2017-10-31
      相关资源
      最近更新 更多