燒瓶-jwt-擴展。當 JWT_COOKIE_CSRF_PROTECT=True 時 POST 請求失敗

Question

我正在使用 flask-jwt-extended 來保護 rest api 使用 JWT Z55E7DD3016CE4AC57BZ9A02。

我發現當

app.config['JWT_COOKIE_CSRF_PROTECT'] = True

對受保護端點的 POST 請求不起作用（而 GET 可以）。

這是我的設置。

#app.py
app = flask.Flask(__name__)

# Configure application to store JWTs in cookies
app.config['JWT_TOKEN_LOCATION'] = ['cookies']

# Only allow JWT cookies to be sent over https. In production, this
# should likely be True
app.config['JWT_COOKIE_SECURE'] = False

app.config['JWT_ACCESS_COOKIE_PATH'] = '/api/'
app.config['JWT_REFRESH_COOKIE_PATH'] = '/api/refresh'

app.config['JWT_COOKIE_CSRF_PROTECT'] = True
app.config['JWT_SESSION_COOKIE'] = False


app.config["DEBUG"] = True
app.config["JWT_SECRET_KEY"] = "123456" 

jwt = JWTManager(app)


@app.route("/api/test_protected", methods=["GET", "POST"])
@jwt_required
def test_protected():
    print("test protected ok", get_jwt_identity())
    return jsonify(success=True)

獲取請求有效

Request URL: http://test.localhsl.com:8080/api/test_protected
Request Method: GET
Status Code: 200 OK
Remote Address: 127.0.0.1:8080
Referrer Policy: no-referrer-when-downgrade
connection: keep-alive
content-length: 22
content-type: application/json
date: Tue, 04 Aug 2020 15:48:30 GMT
server: Werkzeug/1.0.1 Python/3.7.7
X-Powered-By: Express
Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: keep-alive
Cookie: access_token_cookie=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE1OTY1NTYwNjEsIm5iZiI6MTU5NjU1NjA2MSwianRpIjoiZmJiZTM4YmYtZTMzYy00OGViLWJiZGItNmVjOThiZGMwNDVlIiwiZXhwIjoxNTk2NTU2OTYxLCJpZGVudGl0eSI6ImJyb21AcHJvdG9ubWFpbC5jb20iLCJmcmVzaCI6ZmFsc2UsInR5cGUiOiJhY2Nlc3MiLCJjc3JmIjoiMDY1YTdkNzEtYzlhZS00ZTY5LWJlMDYtYTRiYzZiNDlhODUyIn0.mfgjgXjHKibjO-HPtbdcWkXsFW5XavlxarJ0Bx64GWk; csrf_access_token=065a7d71-c9ae-4e69-be06-a4bc6b49a852; csrf_refresh_token=4669a26e-b39e-46ce-a7a3-4ac9a8d295cb
Host: test.localhsl.com:8080
Referer: http://test.localhsl.com:8080/projects
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36

但發布請求失敗

Request URL: http://test.localhsl.com:8080/api/test_protected
Request Method: POST
Status Code: 401 UNAUTHORIZED
Remote Address: 127.0.0.1:8080
Referrer Policy: no-referrer-when-downgrade
connection: keep-alive
content-length: 34
content-type: application/json
date: Tue, 04 Aug 2020 15:49:48 GMT
server: Werkzeug/1.0.1 Python/3.7.7
X-Powered-By: Express
Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: keep-alive
Content-Length: 0
Cookie: access_token_cookie=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE1OTY1NTYxODEsIm5iZiI6MTU5NjU1NjE4MSwianRpIjoiMmUzMTVhMzItY2JmOS00MzJmLWI2MGUtYTYxMjU5Yzc2YTBkIiwiZXhwIjoxNTk2NTU3MDgxLCJpZGVudGl0eSI6ImJyb21AcHJvdG9ubWFpbC5jb20iLCJmcmVzaCI6ZmFsc2UsInR5cGUiOiJhY2Nlc3MiLCJjc3JmIjoiNTMwZmQ4OGItYTYxMS00NDI2LTk3NzQtM2Q0MWNhZWRhZmQzIn0.8EqCsPSEIVsE876dBz26cHhXz-v2d2vfwyPMNo2lsng; csrf_access_token=530fd88b-a611-4426-9774-3d41caedafd3; csrf_refresh_token=9b1e5ab7-bc62-4a5d-976c-1a14a82b7cb3
Host: test.localhsl.com:8080
Origin: http://test.localhsl.com:8080
Referer: http://test.localhsl.com:8080/projects
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36

但是，如果我設置

app.config['JWT_COOKIE_CSRF_PROTECT'] = False

POST 和 GET 到受保護的端點都可以工作。

知道為什么會這樣嗎？

Answer 1

在使用 cookies 時，您需要在發布請求中手動發送雙重提交令牌，以保護您的應用免受 csrf 攻擊。 有關詳細信息，請參閱文檔： https://flask-jwt-extended.readthedocs.io/en/stable/tokens_in_cookies/

燒瓶-jwt-擴展。當 JWT_COOKIE_CSRF_PROTECT=True 時 POST 請求失敗

問題描述

1 個解決方案

解決方案1
0 2020-08-05 01:52:29

燒瓶-jwt-擴展。 當 JWT_COOKIE_CSRF_PROTECT=True 時 POST 請求失敗

問題描述

1 個解決方案

解決方案1 0 2020-08-05 01:52:29

燒瓶-jwt-擴展。當 JWT_COOKIE_CSRF_PROTECT=True 時 POST 請求失敗

解決方案1
0 2020-08-05 01:52:29