Django CSRF 和 axios 发布 403 Forbidden
[英]Django CSRF and axios post 403 Forbidden
问题描述
I use Django with graphene for back-end and Nuxt for front-end.
我使用 Django 和石墨烯作为后端,使用 Nuxt 作为前端。 The problem appears when I try post requests from nuxt to django.当我尝试将请求从 nuxt 发布到 django 时出现问题。 In postman everything works great, in nuxt I receive a 403 error.在邮递员中一切正常,在 nuxt 中我收到 403 错误。
Django姜戈
# url.py
urlpatterns = [
path('admin/', admin.site.urls),
path('api/', GraphQLView.as_view(graphiql=settings.DEBUG,
schema=schema)),
]
# settings.py
CORS_ORIGIN_WHITELIST = 'http://localhost:3000'
CORS_ALLOW_CREDENTIALS = True
CSRF_USE_SESIONS = False
CSRF_COOKIE_HTTPONLY = False
CSRF_COOKIE_SAMESITE = None
NuxtJs NuxtJs
# nuxt.config.js
axios: {
baseURL: 'http://127.0.0.1:8000/',
debug: false,
progress: true,
credentials: true
},
# plugins/axios.js
await $axios.onRequest((config) => {
config.headers.common['Content-Type'] = 'application/json'
config.xsrfCookieName = 'csrftoken'
config.xsrfHeaderName = 'X-CSRFToken'
const csrfCookie = app.$cookies.get('csrftoken')
config.headers.common['X-CSRFToken'] = csrfCookie
console.log(config)
# store/contact.js
import { AddMessage } from '../queries/contact.js'
export const actions = {
async send() {
const message = await this.$axios({
url: 'api/',
method: 'POST',
data: AddMessage
})
}
}
# queries/contact.js
export const AddMessage = {
query: `
mutation AddContact($input: AddMessageInput!){
addMessage(input: $input){
message{
name
email
body
terms
}
}
}
`,
variables: `
{
"input":{
"name": "test",
"email": "test@test.com",
"body": "test",
"terms": true,
}
}
`,
operationName: 'AddMessage'
}
Somethig that某事
Here are request headers from axios post.这是来自 axios 帖子的请求标头。 Something strange for me is the cookie with a wrong value.对我来说奇怪的是 cookie 的值错误。 The good value of token is present in X-CSRFToken header.令牌的良好价值存在于 X-CSRFToken 标头中。
Here is the log from axios post request.这是来自 axios post 请求的日志。 Another strange thing for me is the undefined headers: Content-Type and X-CSRFToken对我来说另一个奇怪的事情是未定义的标头:Content-Type 和 X-CSRFToken
Thank you!谢谢!
1 个解决方案
解决方案1
0 2020-03-24 11:51:51
I resolved this problem and I want to share the solution here.我解决了这个问题,我想在这里分享解决方案。
The problem with wrong cookie value was generated by the front end app that managed (I don't remember how) to get csrf cookie from the back end app. cookie 值错误的问题是由管理(我不记得如何)从后端应用程序获取 csrf cookie 的前端应用程序生成的。 In X-CSRFToken header was token received from response's Set-cookie header and in Cookie header was the cookie from back end app.在X-CSRFToken标头中,令牌是从响应的Set-cookie标头接收的,在Cookie标头中是来自后端应用程序的 cookie。
After I changed localhost with 127.0.0.1 and added config.xsrfCookieName = 'csrftoken' in axios plugin I was able to separate the apps, save and use cookies independent.在我用127.0.0.1更改localhost并在 axios 插件中添加config.xsrfCookieName = 'csrftoken' ,我能够分离应用程序,独立保存和使用 cookie。
The second problem, with undefined headers was generated by axios.第二个问题,未定义的头是由 axios 生成的。 These 2 line of code resolved the problem.这两行代码解决了这个问题。 These were added also in axios onRequest method.这些也在 axios onRequest 方法中添加。
config.xsrfHeaderName = 'X-CSRFToken'
config.headers['Content-Type'] = 'application/json'
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.