处理交叉原点的 Angular 2 csrf
[英]Handling Angular 2 csrf for cross origins
问题描述
below is the architecture of our application.
下面是我们应用程序的架构。
- the web interface [the client] is standalone Angular 2 application [domain.com] Web 界面[客户端]是独立的 Angular 2 应用程序[domain.com]
- the [proxy] which held the client credential [the web interface secret] [domain2.com]持有客户端凭据的[代理] [Web 界面机密] [domain2.com]
- the [API] itself which has the auth server [domain3.com]具有身份验证服务器[domain3.com]的[API]本身
the application flow are like below:申请流程如下:
- user enter his credential username+password into [the client] login page which then send it to the [proxy] .用户将他的凭据用户名+密码输入[客户端]登录页面,然后将其发送到[代理] 。
- then proxy will append the credential to the request and forward it to the [API] .然后代理会将凭据附加到请求并将其转发到[API] 。
- [API] will be able to obtain the access+refresh tokens after validating the user credential & return it to the [proxy] [API]将能够在验证用户凭据后获取访问+刷新令牌并将其返回给[代理]
- [proxy] return the response along with the header [Set-Cookie:XSRF-TOKEN] [代理]将响应与标头[Set-Cookie:XSRF-TOKEN] 一起返回
- [client] should then able to read the [XSRF-TOKEN] & send it along with every request as [X-XSRF-TOKEN] header. [client]然后应该能够读取[XSRF-TOKEN]并将它与每个请求一起作为[X-XSRF-TOKEN]标头发送。
everything is working as expected both on the auth server, proxy & the client except for step 5:除了第 5 步之外,在身份验证服务器、代理和客户端上一切都按预期工作:
Angular should be able to handle this automatically as per the documentation Angular 应该能够根据文档自动处理这个问题
{ provide: XSRFStrategy, useValue: new CookieXSRFStrategy('XSRF-TOKEN', 'X-CSRF-TOKEN')}
where is angular will be able to get the value of the [XSRF-TOKEN] cookie and create the [X-CSRF-TOKEN] header along with every request we made through the application.其中 angular 将能够获取[XSRF-TOKEN] cookie 的值并创建[X-CSRF-TOKEN]标头以及我们通过应用程序发出的每个请求。
although & as I building the architecture using different origins, angular could not be able to read cookie from another origin.虽然 & 当我使用不同的来源构建架构时,angular 无法从另一个来源读取 cookie。
The problem with this approach I am facing is that since the server is in different domain, I cannot read the cookie through XSRFStrategy provider.我面临的这种方法的问题是,由于服务器在不同的域中,我无法通过 XSRFStrategy 提供程序读取 cookie。 Is there a way to read a value of that cookie?有没有办法读取那个 cookie 的值?
If not, so the current architecture is wrong & I need to build the [client] & [proxy] in the same domain which I am avoided this approach because I need to separate the presentation layer from any backend code.如果不是,那么当前的架构是错误的,我需要在同一个域中构建[client]和[proxy] ,我避免了这种方法,因为我需要将表示层与任何后端代码分开。
So, simply my question is how to implement csrf protection for this kind of situation?所以,我的问题是如何针对这种情况实施 csrf 保护?
1 个解决方案
解决方案1
2 已采纳 2017-09-09 07:00:40
In your port you mention "access+refresh tokens", which sounds like you'd be using OAuth.在您的端口中,您提到了“访问+刷新令牌”,这听起来像是您在使用 OAuth。 In a cross-origin scenario, CSRF is often simply not an issue.在跨域场景中,CSRF 通常根本不是问题。 If there is any kind of HTTP Header your client needs to send to authenticate, you can safely disable CSRF.如果您的客户端需要发送任何类型的 HTTP Header 进行身份验证,您可以安全地禁用 CSRF。
A CSRF attack would make your browser send cookie stored for the [API] domain, and with some hacks the attacker might also send a "X-Requested-With: XMLHttpRequest". CSRF 攻击会使您的浏览器发送为 [API] 域存储的 cookie,并且通过一些黑客攻击,攻击者还可能发送“X-Requested-With: XMLHttpRequest”。 But if your API also needs a "Authorization: Bearer ..." token, you can drop the whole CSRF nuisance.但是,如果您的 API 还需要“授权:不记名...”令牌,您可以放弃整个 CSRF 的麻烦。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.