【问题标题】:CSRF problems with sailsjsSailsjs 的 CSRF 问题
【发布时间】:2016-06-02 15:26:19
【问题描述】:

我在使用sails.js 的csrf 时遇到了一些问题,我激活了它并像在sailsjs 文档中一样创建了隐藏字段,但是当我提交表单时,我总是得到这个响应:

Error: Forbidden
    at Object.exports.error (/Users/matheus/Development/javascript/activity_overlord/node_modules/sails/node_modules/express/node_modules/connect/lib/utils.js:62:13)
    at createToken (/Users/matheus/Development/javascript/activity_overlord/node_modules/sails/node_modules/express/node_modules/connect/lib/middleware/csrf.js:82:55)
    at /Users/matheus/Development/javascript/activity_overlord/node_modules/sails/node_modules/express/node_modules/connect/lib/middleware/csrf.js:48:24
    at routes.before./* (/Users/matheus/Development/javascript/activity_overlord/node_modules/sails/lib/hooks/csrf/index.js:26:28)
    at _bind.enhancedFn (/Users/matheus/Development/javascript/activity_overlord/node_modules/sails/lib/router/bind.js:375:4)
    at callbacks (/Users/matheus/Development/javascript/activity_overlord/node_modules/sails/node_modules/express/lib/router/index.js:164:37)
    at param (/Users/matheus/Development/javascript/activity_overlord/node_modules/sails/node_modules/express/lib/router/index.js:138:11)
    at pass (/Users/matheus/Development/javascript/activity_overlord/node_modules/sails/node_modules/express/lib/router/index.js:145:5)
    at nextRoute (/Users/matheus/Development/javascript/activity_overlord/node_modules/sails/node_modules/express/lib/router/index.js:100:7)
    at callbacks (/Users/matheus/Development/javascript/activity_overlord/node_modules/sails/node_modules/express/lib/router/index.js:167:11)

有人可以帮我找到解决方案吗?我认为这是一件简单的事情,我只是不知道这是什么“简单的事情”

【问题讨论】:

  • 在浏览器中查看表单的 HTML 源代码。您创建的隐藏字段中是否真的有 CSRF 值?
  • 我在打开和关闭时遇到问题,这很烦人

标签: node.js sails.js csrf


【解决方案1】:

如果您的应用处于生产模式,它会根据默认的forbidden.js 文件使用“Forbidden”屏蔽csrf 不匹配响应。

您可以通过创建文件“api/responses/forbidden.js”并将其内容复制到其中来覆盖它

https://github.com/balderdashy/sails/blob/master/lib/hooks/responses/defaults/forbidden.js#L35

请注意,我突出显示了导致此问题的行,您将在此处添加数据检查 === 'CSRF Mismatch' 并避免将数据更改为未定义,或根据需要更改响应。

【讨论】:

    【解决方案2】:

    首先你需要通过调用webservice(/csrfToken)来获取CSRF token。作为回应,您将获得一个令牌。您需要在所有后续请求中将该令牌发送到服务器。

    $http.get($scope.baseUrl + '/csrfToken')
        .success(function(csrfObj) {
            csrfToken = csrfObj._csrf;
        });
    
    $http.post('/chat/addconv/',{user:$scope.chatUser,message: $scope.chatMessage, _csrf:csrfToken});
    

    【讨论】:

      【解决方案3】:

      您可以为此创建一个简单的指令

      (function() {
        'use strict';
      
        angular
            .module('app')
            .directive('csrf', csrf);
      
        csrf.$inject = ['$http'];
      
        function csrf($http) {
          var directive = {
            restrict: 'A',
            link: function(scope, element, attr) {
              $http({method: 'GET', url: '/csrfToken', cache: true}).then(function(result) {
                try {
                  $http.defaults.headers.post['X-CSRF-Token'] = result.data._csrf;
                } catch(e) {
                  // do something
                }
              });
            }
          };
      
          return directive;
        }
      })();
      

      然后将它与表单一起使用

      <form csrf name="form">
      

      【讨论】:

        猜你喜欢
        • 1970-01-01
        • 1970-01-01
        • 2017-11-14
        • 2011-11-22
        • 1970-01-01
        • 1970-01-01
        • 2012-03-26
        • 2011-11-12
        • 2011-10-07
        相关资源
        最近更新 更多