堆栈内存溢出
  简体   繁体   English

如何使用 Axios 将 CSRF 令牌发送回服务器

[英]How to send back CSRF Token to server with Axios

 原文  2021-11-06 06:36:52       node.js/ express/ axios

问题描述

I have an Express Server with an endpoint that generates the csrf token for the client,我有一个带有端点的 Express Server,可以为客户端生成 csrf 令牌,

Now, I tried sending back the token in my axios request as below but I keep getting the usual Forbidden: invalid csrf token error.现在,我尝试在我的 axios 请求中发回令牌,如下所示,但我一直收到通常的 Forbidden: invalid csrf token 错误。

Below is my code:下面是我的代码:

static async attachCSRFTokenToHeaders(headers) {
    let csrfTokenRequest = await axios.get(EndPoints.CSRF_TOKEN);
    let csRefToken = csrfTokenRequest.data;
    headers['X-CSRF-TOKEN'] = csRefToken.csrfToken;
}

static async getRequestHeaders() {
    let headers = {};
    //Possibly add more headers
    await this.attachCSRFTokenToHeaders(headers); //Attach the csrf token to the headers of each request
    return headers;
}


static async logInManually(email, password, cb) {
    let requestBody = { email, password};
    axios.post(EndPoints.SIGN_IN, requestBody, {
        headers: await this.getRequestHeaders() //Attach the headers here
    }).then((response) => {
        cb(HttpSuccessDataHandler.getSuccessResponseData(response), null);
    }).catch((e) => {
        cb(null, HttpErrorHandler.spitHttpErrorMsg(e));
    });
}

But the server still keeps throwing the usual:但是服务器仍然不断抛出通常的:

ForbiddenError: invalid csrf token ForbiddenError:无效的 csrf 令牌

Here is a snippet into my server setup这是我的服务器设置中的一个片段

const csrf = require('csurf');
const cookieParser = require('cookie-parser');
const session = require('express-session');

....

initMiddleWare() {
        app.use(express.static('./static'));
        app.use(express.json());
        app.use(express.urlencoded({ extended: true }));
        app.use(cookieParser())
        app.use(session({
            secret: Constants.SESSIONS_SECRET,
            resave: false,
            saveUninitialized: false
        }));
        app.use(busboy({
            highWaterMark: 2 * 1024 * 1024,
            limits: {
                fileSize: maxFileSize,
            }
        }));
        app.use(csrf({ cookie: true }))
    }


 //Then somewhere in my routes, here is the route that provides the csrf token
.....
   app.get(Routes.CSRF_TOKEN, function (req, res) {
        res.send({ csrfToken: req.csrfToken() });
       });
....

1 个解决方案

解决方案1
 0  2021-11-06 08:20:03

Because of csrf({cookie: true}) , the CSRF token is bound to a cookie.由于csrf({cookie: true}) ,CSRF 令牌绑定到 cookie。 The axios.post request must contain not only the CSRF token in a header, but also the cookie that was received with the response to the previous axios.get request. axios.post请求不仅必须在标头中包含 CSRF 令牌,还必须包含响应前一个axios.get请求而收到的 cookie。 Your code sets only the header.您的代码仅设置标题。 Unless axios handles the cookies automatically (like a browser would do), you must include client-side code for handling them as well.除非axios自动处理 cookie(就像浏览器那样),否则您还必须包含客户端代码来处理它们。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 无法将身份验证令牌发送到服务器 axios - Unable to send auth token to server axios 如何在expressjs中的AJAX请求(没有Jquery)中发送csrf令牌? - How to send csrf token in AJAX request (Without Jquery) in expressjs? 如何在GET请求中发送x-csrf-token? - How to send x-csrf-token in a GET request? 使用内置CSRF保护的node.js服务器,移动应用如何接收CSRF令牌? - with node.js server built in CSRF protection, how do the mobile apps receives the CSRF token? 如何绕过内置CSRF保护的axios? - How to bypass axios built in CSRF protection? 如何将令牌从服务器发送到客户端? - How to send token from server to client? 如何使用 AXIOS 使用 object 向我的 NodeJS 服务器发送 POST 请求? - How to send a POST request to my NodeJS server with an object using AXIOS? 带有 axios 的 Nodemon 服务器 - 无法发送 - Nodemon server with axios - Unable to Send 如何将文件传递给服务器,然后将其发送回客户端? - How to pass a file to server and then send it back to client? 为什么当我通过请求将令牌发送到后端时,CSRF 令牌总是说无效的 CSRF? - why CSRF token always say invalid CSRF while I send the token through request to the backend?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM