[英]Django Angular 403 Django not accepting CSRF-cookie: “CSRF token missing or incorrect.”
我正在嘗試使用Angular6與Django結合創建SPA。 Django無法接受我隨請求發送的csrftoken cookie時出現問題。 CSRF_USE_SESSIONS = False
我的settings.py中CSRF_USE_SESSIONS = False
這是當瀏覽器通過get-request設置cookie時的圖片:
Cookie在請求之間沒有變化,因為如果在此之后執行另一個get-request,我將獲得相同的cookie集。
Cookie的策略設置如下:
import { BrowserModule } from '@angular/platform-browser';
import { FormsModule, ReactiveFormsModule } from '@angular/forms';
import { NgModule } from '@angular/core';
import { HttpClientModule } from '@angular/common/http';
import { HttpModule, XSRFStrategy, CookieXSRFStrategy } from '@angular/http'
import ....
@NgModule({
declarations: [
AppComponent,
RegisterComponent,
LoginComponent,
AlertComponent,
ProfileComponent,
RegisterinvoiceComponent,
],
imports: [
BrowserModule,
FormsModule,
ReactiveFormsModule,
AppRoutingModule,
HttpClientModule,
HttpModule
],
providers: [
{
provide: XSRFStrategy,
useValue: new CookieXSRFStrategy('csrftoken', 'X-CSRFToken')
}
],
bootstrap: [AppComponent]
})
export class AppModule { }
還有我的Django查看代碼:
class InvoiceViewSet(viewsets.ModelViewSet):
queryset=Invoices.objects.all()
serializer_class=InvoiceSerializer
def get_permissions(self):
if self.request.method in permissions.SAFE_METHODS:
return (permissions.AllowAny(),)
if self.request.method == 'POST':
return (permissions.IsAuthenticated(),)
return (permissions.IsAuthenticated(), IsAccountOwner(),)
@method_decorator(ensure_csrf_cookie)
def create(self, request):
serializer=InvoiceSerializer(data=request.data)
if serializer.is_valid():
user=request.user
...
return Response(serializer.validated_data, status=status.HTTP_201_CREATED)
return Response({
'status': 'Bad request',
'message': 'Invoice could not be created with received data',
}, status=status.HTTP_400_BAD_REQUEST)
編輯:
我還嘗試從cookie中提取令牌值,並將其作為“ csrfmiddlewaretoken”與其余的發布數據一起發布。
最后感謝@jason。
我使用的XSRFStrategy版本已棄用。 現在,工作代碼在Angular中如下所示:
import { BrowserModule } from '@angular/platform-browser';
import { FormsModule, ReactiveFormsModule } from '@angular/forms';
import { NgModule } from '@angular/core';
import { HttpClientModule, HTTP_INTERCEPTORS, HttpClientXsrfModule, HttpXsrfTokenExtractor } from '@angular/common/http';
import { HttpModule, XSRFStrategy, CookieXSRFStrategy } from '@angular/http'
import { AppComponent } from './app.component';
import ...
import { HttpXSRFInterceptor } from './_providers';
@NgModule({
declarations: [
AppComponent,
RegisterComponent,
LoginComponent,
AlertComponent,
ProfileComponent,
RegisterinvoiceComponent,
],
imports: [
BrowserModule,
FormsModule,
ReactiveFormsModule,
AppRoutingModule,
HttpClientModule,
HttpModule,
HttpClientXsrfModule.withOptions({
cookieName: 'csrftoken',
headerName: 'X-CSRFToken'
})
],
providers: [
{
provide: HTTP_INTERCEPTORS, useClass: HttpXSRFInterceptor, multi: true
}
],
bootstrap: [AppComponent]
})
export class AppModule { }
HttpXSRFInterceptor.ts看起來像這樣:
import { Injectable } from '@angular/core';
import { HttpClientModule, HttpClientXsrfModule, HttpInterceptor, HttpXsrfTokenExtractor, HttpRequest, HttpHandler, HttpEvent } from '@angular/common/http'
import { Observable } from 'rxjs';
@Injectable()
export class HttpXSRFInterceptor implements HttpInterceptor {
constructor(private tokenExtractor: HttpXsrfTokenExtractor){
}
intercept(req: HttpRequest<any>, next: HttpHandler): Observable<HttpEvent<any>> {
const headerName = 'X-CSRFToken';
let token = this.tokenExtractor.getToken() as string;
if (token !== null && !req.headers.has(headerName)){
req=req.clone({ headers: req.headers.set(headerName, token)})
}
return next.handle(req);
}
}
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.