Nuxt auth 模块 axios 未根据请求设置 CSRF 令牌
[英]Nuxt auth module axios not setting CSRF token on request
问题描述
I'm using the Nuxt auth module v5 and the Laravel sanctum provider.
我正在使用 Nuxt auth 模块 v5 和 Laravel sanctum provider。 My csrf-cookie route works fine, and my login route works fine, but when trying to call this.$axios from a function, such as when creating a user's account (since auth module doesn't offer this) I'm getting a CSRF token mismatch.我的 csrf-cookie 路由工作正常,我的登录路由工作正常,但是当尝试从函数调用this.$axios时,例如在创建用户帐户时(因为 auth 模块不提供此功能)我得到了CSRF 令牌不匹配。
It would appear that using axios directly like this doesn't have access to setting the cookie since no user logged in, how can I get the cookie to be set?看起来像这样直接使用 axios 无法设置 cookie,因为没有用户登录,我怎样才能设置 cookie?
Method for account creation账户创建方法
/*
** Create accounr
*/
createAccount () {
this.feedback.isShown = false
this.isCreatingAccount = true
if (this.apiAccountCreationSource) this.apiAccountCreationSource.cancel('aborted')
const CancelToken = this.$axios.CancelToken
this.apiAccountCreationSource = CancelToken.source()
this.$axios.post(`${this.$config.apiUrl}/api/account`, this.account, {
cancelToken: this.apiAccountCreationSource.token,
timeout: 30 * 1000
}).then(res => {
this.apiAccountCreationSource = null
this.setContextualResponse(res)
setTimeout(() => {
this.login()
}, 250)
}).catch(err => {
this.setContextualResponse(err.response ? err.response.data : null)
}).finally(() => {
this.isCreatingAccount = false
})
},
Nuxt config Nuxt 配置
// Axios module configuration: https://go.nuxtjs.dev/config-axios
axios: {
credentials: true,
baseURL: process.env.API_DOMAIN
},
// Auth module configuration: https://auth.nuxtjs.org/
auth: {
redirect: {
login: '/account/login/',
logout: '/account/login/',
callback: '/account/login/',
home: '/account/dashboard/'
},
strategies: {
'laravelSanctum': {
provider: 'laravel/sanctum',
url: process.env.API_DOMAIN,
endpoints: {
login: { url: '/api/login', method: 'post' },
logout: { url: '/api/account/logout', method: 'post' },
user: { url: '/api/account', method: 'get', propertyName: 'user' }
}
}
}
},
1 个解决方案
解决方案1
0 2021-11-15 16:39:09
If you need to get the CSRF token all you need to do is make a request to your token endpoint and your browser should save the XSRF token.如果您需要获取 CSRF 令牌,您需要做的就是向您的令牌端点发出请求,您的浏览器应保存 XSRF 令牌。 Then axios will automatically send this token in every subsequent request.然后 axios 会在每个后续请求中自动发送这个令牌。
So all that you need to do is make a axios GET request to your csrf-cookie route before you send your POST request.因此,您需要做的就是在发送 POST 请求之前向您的 csrf-cookie 路由发出 axios GET 请求。
Simply make a request to set the XSRF token before making a POST:只需在进行 POST 之前发出设置 XSRF 令牌的请求:
this.$axios.get(`${this.$config.apiUrl}/sanctum/csrf-cookie`)
Or you can chain both requests doing something like this:或者,您可以将两个请求链接起来,执行以下操作:
this.$axios.get(`${this.$config.apiUrl}/sanctum/csrf-cookie`).then(() => {
return this.$axios.post(`${this.$config.apiUrl}/api/account`, this.account, {
cancelToken: this.apiAccountCreationSource.token,
timeout: 30 * 1000
}).then((res) => {
this.apiAccountCreationSource = null
this.setContextualResponse(res)
setTimeout(() => {
this.login()
}, 250)
}).catch((err) => {
this.setContextualResponse(err.response ? err.response.data : null)
}).finally(() => {
this.isCreatingAccount = false
})
})
Notice how we're sending a GET request to the csrf route before the POST request.请注意我们如何在 POST 请求之前向 csrf 路由发送 GET 请求。
Your authentication strategy works without this hassle because it handles this csrf request internally ( https://github.com/nuxt-community/auth-module/blob/dev/src/providers/laravel-sanctum.ts )您的身份验证策略没有这个麻烦,因为它在内部处理这个 csrf 请求( https://github.com/nuxt-community/auth-module/blob/dev/src/providers/laravel-sanctum.ts )
References:参考:
https://laravel.com/docs/8.x/sanctum#csrf-protection https://laravel.com/docs/8.x/sanctum#csrf-protection
https://github.com/axios/axios/issues/708#issuecomment-280920224 https://github.com/axios/axios/issues/708#issuecomment-280920224
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.