【发布时间】:2020-07-01 07:03:11
【问题描述】:
我的设置
我有一个带有 REST API 的服务器,它在带有 API 平台的 Symfony 上运行。我的资源的 GET 请求不需要授权,但是其他操作需要授权。使用 JWT Bearer 令牌处理授权。
客户端使用 React-admin 和 API Platform Admin。我添加了这段代码来发送 JWT 令牌以及操作:
// dataProvider.js
import React from "react";
import { hydraDataProvider, fetchHydra as baseFetchHydra } from "@api-platform/admin";
export default entrypoint => {
const fetchHeaders = { Authorization: `Bearer ${localStorage.getItem("token")}` };
const fetchHydra = (url, options = {}) => baseFetchHydra(url, {
...options,
headers: new Headers(fetchHeaders),
});
return hydraDataProvider(entrypoint, fetchHydra);
};
问题
当我现在登录到我的管理界面时,我收到了一个 401 Unauthorized 响应,因为服务器不期望 GET 请求的令牌。
请求标头:
Host: localhost:8000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0
Accept: application/ld+json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://localhost:3000/
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpYXQiOjE1ODQ2NzcwMTYsImV4cCI6MTU4NDY4MDYxNiwicm9sZXMiOlsiUk9MRV9BRE1JTiJdLCJ1c2VybmFtZSI6IlNvbWVib2R5In0.O_StagfEJy5VQS-5s-DjuwzOlUgrl3MTmxPfZUU0J1go06tKOpLjiBrEIJpjo5AK67w93SfsUaIBop8apoacHQ
Content-Type: application/ld+json
Origin: http://localhost:3000
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
TE: Trailers
响应标头:
HTTP/2 401 Unauthorized
access-control-allow-origin: http://localhost:3000
access-control-expose-headers: link
cache-control: no-cache, private
content-type: application/json
date: Fri, 20 Mar 2020 04:40:39 GMT
link: <https://localhost:8000/api/docs.jsonld>; rel="http://www.w3.org/ns/hydra/core#apiDocumentation"
www-authenticate: Bearer
x-debug-token: 720652
x-debug-token-link: https://localhost:8000/_profiler/720652
x-powered-by: PHP/7.4.1
x-robots-tag: noindex
content-length: 282
X-Firefox-Spdy: h2
当我从浏览器的请求标头中手动删除授权行并重试时,它可以工作。
我的问题:
- 这甚至是预期的行为吗?
- 客户端应该总是发送令牌吗?
- 如果应该始终发送令牌,即使不需要,我如何告诉 API 平台接受它?
- 如果令牌应该只在需要时发送,我如何让 hydraDataProvider 知道?
【问题讨论】:
标签: reactjs rest jwt react-admin api-platform.com