CSRF令牌在消耗之前已过期。

huangapple go评论60阅读模式
英文:

csrf token is getting expired before getting consumed

问题

I'm here to provide you with the translated text. Here's the translation of your provided content:

为什么我的 CSRF 令牌一旦尝试使用就会过期?

我在使用 Angular 时遇到了一个奇怪的问题,涉及到我接收和发送的 XSRF 令牌和会话令牌。

当我向 sanctum/csrf 端点发出请求时,我确实会得到 XSRF-TOKEN 和 SESSION-TOKEN 作为响应,其有效期为 2 小时。但在随后对 Laravel 路由的请求中,我发送的令牌似乎在我接收到它们的瞬间就已过期?导致 "csrf 令牌不匹配" 错误。我接收的令牌和我在后续请求中使用的令牌确实是相同的。但有效期似乎发生了变化。我感到困惑...

这是我使用的代码。第一个 get 方法发送给我令牌,有效期为 2 小时。接下来的 post 方法使用了这些令牌,但过期日期被设置为我接收到它们的确切时间。我猜测我遇到的 "csrf 令牌不匹配" 错误可能源于此。有什么线索吗?

英文:

Why does my csrf token expires as soon as I try to use it?

I'm having a weird problem with the XSRF token and session token I receive and send back with Angular.

When I make a request to the endpoint sanctum/csrf, I do get a XSRF-TOKEN and SESSION-TOKEN with a 2h lifetime as a response. But on subsequent request to a laravel route, the tokens I send are set to be expired the moment I received them? Resulting in a "csrf toekn mismatch" error. The tokens I receive and the ones I use in further requests are indeed the same. But the expiration time changes it seems. I'm lost there...

constructor(private testService: TestService, private http: HttpClient) { }

  ngOnInit(): void {
    this.http.get('http://localhost:8000/sanctum/csrf-cookie', { withCredentials: true }).subscribe(() => {

      console.log('CSRF cookie set.');

      this.http.post('http://localhost:8000/api/login', {
        email: 'exemple@gmail.com',
        password: 'exemple-'
      }, { withCredentials: true }).subscribe((response) => {

        console.log(response);

        this.http.get('http://localhost:8000/api/user', { withCredentials: true }).subscribe((response => {
          console.log(response);
        }));

      });

this is the code I'm using. The first get method sends me the token, 2h lifetime.
The next post method uses the tokens, but the expire date is set to the exact time I received it. I guess the "csrf token mismatch" error I get comes from this.

Any clue?

答案1

得分: 1

问题是Angular没有像 sanctum 文档所说的那样添加必要的带有 csrf-token 的头部。你需要一个拦截器来为你的请求添加正确的 X-XSRF-TOKEN 头部,并给它赋予你收到的令牌的值。

链接:https://stackoverflow.com/questions/61063479/csrf-token-mismatch-laravel-sanctum-and-angular-http

最佳答案对我有所帮助(别忘了相应地更改你的 app.module)。

英文:

Ok so the problem was that Anuglar does NOT add the necessary header with the csrf-token, like the sanctum doc says. You need an interceptor to add the right X-XSRF-TOKEN header to your request, and give it the value of the token you received.

https://stackoverflow.com/questions/61063479/csrf-token-mismatch-laravel-sanctum-and-angular-http

The top answer helped me (don't forget to change your app.module accordingly).

huangapple
  • 本文由 发表于 2023年5月7日 20:57:09
  • 转载请务必保留本文链接:https://go.coder-hub.com/76194073.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定