POST请求不适用于令牌验证检查

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了POST请求不适用于令牌验证检查相关的知识,希望对你有一定的参考价值。

使用flask_jwt_extended,每当我尝试使用以下装饰器发送POST请求时:

@jwt_refresh_token_required
@jwt_required

我遇到此401错误:


    "msg": "Missing CSRF token"

当我改用GET时,它工作正常。我已经阅读了有关双重提交保护的文档,但这不能解决我的问题。 有什么想法可以解决我的问题吗?重现此问题的代码如下。

下面是我的代码的结构:

- src/__init.py__ # where I put all configs
- src/auth.py # where are the endpoints

init.py

login_serializer = URLSafeTimedSerializer(SERIALIZER_SECRET_KEY)
jwt = JWTManager()


def create_app():
    app = Flask(__name__)
    app.config["SECRET_KEY"] = SERIALIZER_SECRET_KEY
    app.config['JWT_SECRET_KEY'] = JWT_SECRET_KEY
    app.config['JWT_TOKEN_LOCATION'] = ['cookies']
    app.config['JWT_COOKIE_CSRF_PROTECT'] = True  
    db.init_app(app)
    jwt.init_app(app)

    # blueprint for auth routes in our app
    from .auth import auth as auth_blueprint
    app.register_blueprint(auth_blueprint)

    # blueprint for non-auth parts of app
    from .routes import main as main_blueprint
    app.register_blueprint(main_blueprint)

    return app

auth.py

import logging
from flask import Blueprint, request, current_app as app, jsonify
from werkzeug.security import generate_password_hash, check_password_hash
from . import login_serializer, jwt
from flask_jwt_extended import (jwt_required, jwt_refresh_token_required, 
                                get_jwt_identity, get_raw_jwt, unset_jwt_cookies,
                                current_user, create_access_token, create_refresh_token, set_access_cookies, set_refresh_cookies)

auth = Blueprint('auth', __name__)


def set_response_cookies(token_identity, resp=None, token_types=["access", "refresh"]):
    """
    Helper function to set cookies in response
    """
    logging.warning("Setting cookies")
    resp = jsonify(resp)
    token_types.sort()
    if token_types == ["access", "refresh"]:
        access_token = create_access_token(identity = token_identity)
        refresh_token = create_refresh_token(identity = token_identity)
        if not resp:
            resp = jsonify("access_token": access_token, "refresh_token": refresh_token)
        set_access_cookies(resp, access_token)
        set_refresh_cookies(resp, refresh_token)
        return resp 
    elif token_types == ["access"]:
        access_token = create_access_token(identity = token_identity)
        if not resp:
            resp = jsonify("access_token": access_token)
        set_access_cookies(resp, access_token)
        return resp 
    elif token_types == ["refresh"]:
        refresh_token = create_refresh_token(identity = token_identity)
        if not resp:
            resp = jsonify("refresh_token": refresh_token)
        set_refresh_cookies(resp, refresh_token)
        return resp 
    else:
        raise ValueError("Wrong Call to this function")


@jwt.user_claims_loader
def add_claims_to_access_token(identity):
    """
    """
    return 
        'email': identity
    


@jwt.user_loader_callback_loader
def user_loader_callback(identity):
    """
    Ignore Here, but I use it to get a User object (not mentionned here) from a Token.
    """
    return User.objects(
        email=identity,
    ).first()


@auth.route('/token', methods=['POST'])
def token_post():
    """ obj =
    "email": "email", "password": "password" => Tokens 
    """
    obj = request.get_json()
    resp = set_response_cookies(obj["email"], "token": True, ["access", "refresh"])
    return resp, 200    


@auth.route('/token/access', methods=['POST'])
@jwt_refresh_token_required
def refresh_access_cookies():
    if current_user:
        resp = set_response_cookies(current_user.email, "token_refreshed": True, ["access"])
    return resp, 200

所以,在这里,我要做的就是重现错误:

  1. / token]发送POST请求=>在邮递员中,我的响应将获取所有cookie和标头。

  2. / token / access]发出POST请求=>给出上述错误。

  3. 使用flask_jwt_extended,每当我尝试使用以下修饰符发送POST请求时:@jwt_refresh_token_required @jwt_required我遇到了401错误:“ msg”:“缺少CSRF ...

答案
在您的配置上,您启用JWT_COOKIE_CSRF_PROTECT为true。出于开发目的,如果将错误设置为False(可能不安全),该错误将消失。在生产中,您需要在请求的标头上传递csrf_token。我认为此链接可以为您提供帮助。https://flask-jwt-extended.readthedocs.io/en/stable/tokens_in_cookies/(请参阅最后一节)https://flask-wtf.readthedocs.io/en/stable/csrf.html

以上是关于POST请求不适用于令牌验证检查的主要内容,如果未能解决你的问题,请参考以下文章

Azure 条件访问不适用于令牌获取请求?

使用身份验证令牌的 Axios 请求有时会在 Safari 中失败

Python 中的 Rest API - 获取身份验证令牌,然后将其设置为用于 POST 的变量

Axios POST 调用不适用于 JWT 令牌,而 GET 调用有效

Rails:发出 POST 请求时无法验证 CSRF 令牌的真实性

GraphQL graph.cool 用户查询不适用于 Auth0 令牌