如何保护使用 JWT 作为身份验证的 DRF 创建的 API 的 CSRF 登录和注册端点(视图)?
[英]How protect from CSRF Login and Register endpoints (views) of an API created with DRF which use JWT as authentication?
问题描述
I have been searching and reading other questions and blogs, but I didn't find anything concrete about my doubt.
我一直在搜索和阅读其他问题和博客,但我没有找到任何关于我的疑问的具体内容。
A little of context:一点上下文:
I am developing a SPA which works with a REST API in Django by means of Django Rest Framework (DRF) and the authentication is made it through Bearer token: JWT (package 'Simple JWT'). I am developing a SPA which works with a REST API in Django by means of Django Rest Framework (DRF) and the authentication is made it through Bearer token: JWT (package 'Simple JWT'). So, I was reading whether it needs protection against CSRF:所以,我正在阅读它是否需要针对 CSRF 的保护:
• Do I need CSRF token if I'm using Bearer JWT? • 如果我使用 Bearer JWT,我是否需要 CSRF 令牌?
• Should I use CSRF protection on Rest API endpoints? • 我应该在 Rest API 端点上使用 CSRF 保护吗?
• The Web API Authentication guide, Bearer tokens • Web API 认证指南,不记名令牌
Basically if the browser does not make an automatically authentication (with sessions or some kind of cookie), the odds of a CSRF vulnerability are slim.基本上,如果浏览器不进行自动身份验证(使用会话或某种 cookie),CSRF 漏洞的可能性很小。 This approach is achieved with the Bearer Tokens using the JWT inside the 'Authorization' header.这种方法是通过使用“授权”header 内的 JWT 的承载令牌实现的。
Updated: In this developing stage it is setted Django-CORS, but in production it will be configured a proxy through Nginx.更新:在这个开发阶段它被设置为 Django-CORS,但在生产中它将通过 Nginx 配置一个代理。 Avoiding CORS attacks.避免 CORS 攻击。
The problem:问题:
There are some public endpoints, that don't need authentication, so I used this permission in DRF settings有一些公共端点不需要身份验证,所以我在 DRF 设置中使用了这个权限
'DEFAULT_PERMISSION_CLASSES': ['rest_framework.permissions.IsAuthenticatedOrReadOnly'],
This way, unauthorized users only can make safe requests -methods: GET, HEAD and OPTIONS -.这样,未经授权的用户只能发出安全请求 - 方法: GET、HEAD和OPTIONS -。 The users, with a JWT, can perform any kind of request.拥有 JWT 的用户可以执行任何类型的请求。
Login and register views works through POST requests due to modify the state of the application.由于修改了应用程序的 state,登录和注册视图通过POST请求工作。 The issue is the above permission avoids that the 'anonymous' (to call it in somehow) user from being able to register or login.问题是上述权限避免了“匿名”(以某种方式调用它)用户能够注册或登录。 The question is, how do I protect them?问题是,我该如何保护它们?
I have thought in maybe change the permission to these views to 'AllowAny'.我曾想过可能会将这些视图的权限更改为“AllowAny”。 But I don't know if this returns the concern about CSRF, because there is no Bearer token here, or perhaps other security vulnerabilities that I can't even imagine.但是我不知道这是否会引起对 CSRF 的关注,因为这里没有 Bearer 令牌,或者可能是我什至无法想象的其他安全漏洞。
Another possibility is to only use the CSRF token in these views.另一种可能性是仅在这些视图中使用 CSRF 令牌。
Or is there any better approach to protect these two endpoints?或者有没有更好的方法来保护这两个端点?
I hope someone will be able to help me!我希望有人能帮助我!
1 个解决方案
解决方案1
0 2021-12-28 08:46:58
You can use CSRF tokens in your login and registration forms, and this will sufficiently protect you from CSRF attacks against these endpoints.您可以在登录和注册 forms 中使用 CSRF 令牌,这将充分保护您免受针对这些端点的 CSRF 攻击。 You would then have to obviously allow for anonymous access to these endpoints.然后,您显然必须允许匿名访问这些端点。 It's usual that login and registration endpoints are not behind a firewall and are accessible to anonymous users.登录和注册端点通常不在防火墙后面,并且可供匿名用户访问。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.