cakephp3.7 测试中的 CSRF 令牌不匹配

Question

测试/TestCase/Controller/FeedbackControllerTest.php:45

public function testAdd()
{
    $this->enableCsrfToken();
    $this->enableSecurityToken();
    $this->session([
        'Auth' => [
            'User' => [
                'id' => 1,
                'role' => 'REPR',
            ]
        ]
    ]);
    $this->configRequest([
        'headers' => ['Accept' => 'application/json']
    ]);
    $_data = [
        'crash' => 1,
        'details' => 'Lorem ipsum dolor sit amet'
    ];
    $_data = json_encode($_data, JSON_PRETTY_PRINT);
    $this->post('/feedback/add', $_data); // <---- 45
    $expected = [
        'status' => 'success'
    ];
    $expected = json_encode($expected, JSON_PRETTY_PRINT);
    $this->assertEquals($expected, (string)$this->_response->getBody());
}

PHPUnit 输出：

1) App\Test\TestCase\Controller\FeedbackControllerTest::testAdd
Cake\Http\Exception\InvalidCsrfTokenException: Missing CSRF token cookie

/vagrant/vendor/cakephp/cakephp/src/Http/Middleware/CsrfProtectionMiddleware.php:196
/vagrant/vendor/cakephp/cakephp/src/Http/Middleware/CsrfProtectionMiddleware.php:120
/vagrant/vendor/cakephp/cakephp/src/Http/Middleware/CsrfProtectionMiddleware.php:106
/vagrant/vendor/cakephp/cakephp/src/Http/Runner.php:65
/vagrant/vendor/cakephp/cakephp/src/Http/Runner.php:51
/vagrant/vendor/cakephp/cakephp/src/Routing/Middleware/RoutingMiddleware.php:168
/vagrant/vendor/cakephp/cakephp/src/Http/Runner.php:65
/vagrant/vendor/cakephp/cakephp/src/Routing/Middleware/AssetMiddleware.php:88
/vagrant/vendor/cakephp/cakephp/src/Http/Runner.php:65
/vagrant/vendor/cakephp/cakephp/src/Error/Middleware/ErrorHandlerMiddleware.php:96
/vagrant/vendor/cakephp/cakephp/src/Http/Runner.php:65
/vagrant/vendor/cakephp/cakephp/src/Http/Runner.php:51
/vagrant/vendor/cakephp/cakephp/src/Http/Server.php:98
/vagrant/vendor/cakephp/cakephp/src/TestSuite/MiddlewareDispatcher.php:201
/vagrant/vendor/cakephp/cakephp/src/TestSuite/IntegrationTestTrait.php:516
/vagrant/vendor/cakephp/cakephp/src/TestSuite/IntegrationTestTrait.php:413
/vagrant/tests/TestCase/Controller/FeedbackControllerTest.php:45

我已经阅读并尝试了答案中的解决方案：

How to create CSRF token for Cakephp 3 PHPunit testing?

如果我像@ndm 所说的那样添加：

$token = 'my-csrf-token';

$this->cookie('csrfToken', $token);

$data = [
    'email' => 'info@example.com',
    'password' => 'secret',
    '_csrfToken' => $token
];

然后：

Cake\Http\Exception\InvalidCsrfTokenException: CSRF 令牌不匹配。

如何解决？

Answer 1

当将字符串作为 POST 数据传递时，集成测试用例不会自动设置令牌，CSRF 令牌和安全令牌都不会，因为它无法在不知道数据格式的情况下向字符串注入任何内容。因此它也不会设置 cookie。

因此，在您传递字符串数据的情况下，您必须手动设置 cookie 和令牌，与您链接的答案中描述的类似。但是，当使用除application/x-www-form-urlencoded 数据以外的任何数据（即 PHP 将解码并放入 $_POST 超全局的数据）时，在您的示例 JSON 数据中，您必须将令牌作为标头传递，因为 JSON 输入数据将是由请求处理程序组件解码（计划将其移至中间件层 IIRC），该组件在 CSRF 中间件之后运行，因此不会看到任何发布数据。

例子：

$token = 'my-csrf-token';
$this->cookie('csrfToken', $token);

$this->configRequest([
    'headers' => [
        'X-CSRF-Token' => $token,
        // ...
    ]
]);

另一方面，安全组件令牌必须进入 POST 数据，安全组件不会查找标头，并且在请求处理程序组件运行后它可以访问解码的数据（确保您在安全组件之前加载请求处理程序组件！）。您可以参考\Cake\TestSuite\IntegrationTestTrait::_addTokens() 来源来了解如何构建安全令牌，您可以这样做：

$url = '/feedback/add';

$_data = [
    'crash' => 1,
    'details' => 'Lorem ipsum dolor sit amet'
];

$keys = array_map(
    function ($field) {
        return preg_replace('/(\.\d+)+$/', '', $field);
    },
    array_keys(Hash::flatten($_data))
);

$tokenData = $this->_buildFieldToken($url, array_unique($keys));

$_data['_Token'] = $tokenData;
$_data['_Token']['debug'] = 'SecurityComponent debug data would be added here';

请注意，传递给_buildFieldToken() 的 URL 还必须包含可能的查询字符串数据！

Answer 2

您能否在您的 jquery ajax 函数中尝试此代码，

beforeSend: function (xhr) 
{
    xhr.setRequestHeader('X-CSRF-Token', $('[name="_csrfToken"]').val());
},

将代码放在成功函数之前