如何从Rails控制台生成CSRF令牌?
[英]How do I generate a CSRF token from the Rails console?
问题描述
I'm trying to make an authenticated post request, and I need the CSRF. 
我正在尝试进行经过身份验证的帖子请求,我需要CSRF。 When I log in, it isn't generating the _csrf_token for some reason: 当我登录时,由于某种原因它没有生成_csrf_token :
2.0.0p247 :126 > app.post '/community_members/login', {"refinery_user[login]"=>'chloe', 'refinery_user[password]'=>'test'}
=> 302
2.0.0p247 :127 > app.session
=> {"warden.user.refinery_user.key"=>[[56], "$2a$10$gr/rTcQfuXnes1Zml3qOPu"], "session_id"=>"f77d89cef9ff1710890f575b479bb690"}
I tried app.session[:_csrf_token] ||= SecureRandom.base64(32) before login, but it is always deleted. 我在登录前尝试了app.session[:_csrf_token] ||= SecureRandom.base64(32) ,但它总是被删除。 I also tried to get the login form first, but _csrf_token is still not set. 我还试图首先获取登录表单,但仍未设置_csrf_token 。
2.0.0p247 :133 > app.get '/community_members/sign_in'
2.0.0p247 :134 > app.response # authenticity_token is burried in the raw HTML
2.0.0p247 :136 > app.post '/community_members/login', {"refinery_user[login]"=>'chloe', 'refinery_user[password]'=>'test'}
2.0.0p247 :137 > app.session
=> {"warden.user.refinery_user.key"=>[[56], "$2a$10$gr/rTcQfuXnes1Zml3qOPu"], "session_id"=>"c2c564229e55b81ca788788558d7d11a"}
How do I manually generate the token to pass to the post request? 如何手动生成令牌以传递给帖子请求?
Oh ok, I think I need to submit the authenticity_token (that is set in the session after GETing the login form) to the login form, then it puts it in the session permanently! 哦,好吧,我想我需要在登录表单中提交authenticity_token(在获取登录表单后在会话中设置),然后将其永久地放入会话中! This worked: 这有效:
app.post '/community_members/login', {'authenticity_token'=>'GfT5GtcUmYQ927oNQmh2MR0NKQucGSx8mtMg3Ph9kXw=', "refinery_user[login]"=>'chloe', 'refinery_user[password]'=>'test'}
Here is a full example: https://stackoverflow.com/a/23899701/148844 以下是一个完整的示例: https : //stackoverflow.com/a/23899701/148844
3 个解决方案
解决方案1
7 已采纳 2014-07-29 17:42:53
I felt like using Nokogiri to parse the response was a little heavy so I wrote a simple regex to pull the authenticity token out of the response. 我觉得使用Nokogiri解析响应有点沉重,所以我写了一个简单的正则表达式来将真实性标记从响应中拉出来。
app.get '/api_with_form'
authenticity_token = app.response.body.match(/<[^<]+authenticity_token[^>]+value="([^"]+)"[^>]+>/)[1]
I'm using this to log in 我正在使用它登录
app.get '/users/sign_in'
authenticity_token = app.response.body.match(/<[^<]+authenticity_token[^>]+value="([^"]+)"[^>]+>/)[1]
app.post '/users/sign_in', 'user[email]' => 'my_username', 'user[password]' => 'my_password', authenticity_token: authenticity_token
解决方案2
3 2014-05-28 21:22:49
Unless you load the page before you do app.post , there is no CSRF token generated to begin with. 除非您在执行app.post之前加载页面,否则不会生成任何CSRF令牌。 Manually generating a new one will not help because it won't match what is stored on the server, which is likely to be some null value. 手动生成一个新的将无济于事,因为它与服务器上存储的内容不匹配,这可能是一些null值。
You need to load the page, parse out the CSRF token, and then use that one. 您需要加载页面,解析出CSRF令牌,然后使用该令牌。
Alternately, you can load the form, try to read the CSRF token out of app.session[:_csrf_token] and use that. 或者,您可以加载表单,尝试从app.session[:_csrf_token]读取CSRF令牌并使用它。
解决方案3
2 2016-06-17 05:38:43
I use these commands in rails console: 我在rails控制台中使用这些命令:
app_controller = ActionController::Base::ApplicationController.new
app_controller.request = ActionDispatch::Request.new({})
app_controller.send(:form_authenticity_token)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.