不使用令牌验证检查的POST请求
不使用令牌验证检查的POST请求
提问于 2020-05-31 16:31:44
在使用flask_jwt_extended时,每当我试图发送带有以下装饰器的POST请求时:
@jwt_refresh_token_required
@jwt_required我有这个401错误:
{
"msg": "Missing CSRF token"
}当我用GET代替的时候,它很好用。我读过有关双重提交保护的文档,但这并不能解决我的问题。有什么想法可以解决我的问题吗?,用于再现问题的代码如下所示。
下面是我的代码结构:
- src/__init.py__ # where I put all configs
- src/auth.py # where are the endpointsinit.py
login_serializer = URLSafeTimedSerializer(SERIALIZER_SECRET_KEY)
jwt = JWTManager()
def create_app():
app = Flask(__name__)
app.config["SECRET_KEY"] = SERIALIZER_SECRET_KEY
app.config['JWT_SECRET_KEY'] = JWT_SECRET_KEY
app.config['JWT_TOKEN_LOCATION'] = ['cookies']
app.config['JWT_COOKIE_CSRF_PROTECT'] = True
db.init_app(app)
jwt.init_app(app)
# blueprint for auth routes in our app
from .auth import auth as auth_blueprint
app.register_blueprint(auth_blueprint)
# blueprint for non-auth parts of app
from .routes import main as main_blueprint
app.register_blueprint(main_blueprint)
return appauth.py
import logging
from flask import Blueprint, request, current_app as app, jsonify
from werkzeug.security import generate_password_hash, check_password_hash
from . import login_serializer, jwt
from flask_jwt_extended import (jwt_required, jwt_refresh_token_required,
get_jwt_identity, get_raw_jwt, unset_jwt_cookies,
current_user, create_access_token, create_refresh_token, set_access_cookies, set_refresh_cookies)
auth = Blueprint('auth', __name__)
def set_response_cookies(token_identity, resp=None, token_types=["access", "refresh"]):
"""
Helper function to set cookies in response
"""
logging.warning("Setting cookies")
resp = jsonify(resp)
token_types.sort()
if token_types == ["access", "refresh"]:
access_token = create_access_token(identity = token_identity)
refresh_token = create_refresh_token(identity = token_identity)
if not resp:
resp = jsonify({"access_token": access_token, "refresh_token": refresh_token})
set_access_cookies(resp, access_token)
set_refresh_cookies(resp, refresh_token)
return resp
elif token_types == ["access"]:
access_token = create_access_token(identity = token_identity)
if not resp:
resp = jsonify({"access_token": access_token})
set_access_cookies(resp, access_token)
return resp
elif token_types == ["refresh"]:
refresh_token = create_refresh_token(identity = token_identity)
if not resp:
resp = jsonify({"refresh_token": refresh_token})
set_refresh_cookies(resp, refresh_token)
return resp
else:
raise ValueError("Wrong Call to this function")
@jwt.user_claims_loader
def add_claims_to_access_token(identity):
"""
"""
return {
'email': identity
}
@jwt.user_loader_callback_loader
def user_loader_callback(identity):
"""
Ignore Here, but I use it to get a User object (not mentionned here) from a Token.
"""
return User.objects(
email=identity,
).first()
@auth.route('/token', methods=['POST'])
def token_post():
""" obj =
{"email": "email", "password": "password"} => Tokens
"""
obj = request.get_json()
resp = set_response_cookies(obj["email"], {"token": True}, ["access", "refresh"])
return resp, 200
@auth.route('/token/access', methods=['POST'])
@jwt_refresh_token_required
def refresh_access_cookies():
if current_user:
resp = set_response_cookies(current_user.email, {"token_refreshed": True}, ["access"])
return resp, 200所以,在这里,我要做的就是复制错误:
headers.
- Make
- 在“邮递员”中向/token =>发出了一个帖子请求,我的响应将得到所有cookies,并向/token/access =>发出一个POST请求,给出上述错误。
回答 1
Stack Overflow用户
回答已采纳
发布于 2020-05-31 17:02:01
在您的配置中,您启用了JWT_COOKIE_CSRF_PROTECT。
出于开发目的,如果您可以将错误设置为False,则错误将消失,这可能不安全。
在生产中,您需要在请求头上传递csrf_token。
我认为这个链接可以帮助你。
https://flask-jwt-extended.readthedocs.io/en/stable/tokens_in_cookies/ (见最后一节)
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/62119272
复制相关文章
相似问题
腾讯云开发者
