我正在嘗試markitosgv/JWTRefreshTokenBundle在我的 symfony 專案中實作,以便獲得重繪 我的 JWT 令牌的方法。為此,我想生成一個 HttpOnly cookie,這是捆綁包支持的。
當我從我的前端(角度 13)登錄時,我得到了我的 JWT 令牌(來自lexik/LexikJWTAuthenticationBundle),以及set-cookie像這樣的標題:
Request URL: https://api.mysite.com/api/login_check
Request Method: POST
Status Code: 200 OK
Remote Address: 192.168.1.43:443
Referrer Policy: strict-origin-when-cross-origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://front.mysite.com:4200
Access-Control-Expose-Headers: link
Cache-Control: no-cache, private
Connection: Keep-Alive
Content-Type: application/json
Date: Mon, 25 Apr 2022 15:54:30 GMT
Keep-Alive: timeout=5, max=99
Server: Apache/2.4.41 (Ubuntu)
Set-Cookie: refresh_token=a2615d6dd2986680fd79807c61d050424b4e290090a4beaf1f1063c0c8f1807681d86c1c07216630a629667e711897dbae7a6083884d3f19b028aa72f9bbca84; expires=Tue, 26-Apr-2022 09:07:50 GMT; Max-Age=62000; path=/; domain=mysite.com; secure; httponly; samesite=lax
Transfer-Encoding: chunked
X-Debug-Token: e31102
X-Debug-Token-Link: https://api.mysite.com/_profiler/e31102
X-Robots-Tag: noindex
當然,我無法檢查 cookie 是否已創建,因為它是 HttpOnly
然后在我的角度,我有一個帶有以下簡單代碼的測驗按鈕:
onCallRefreshToken() {
this.http.post('https://api.mysite.com/api/token/refresh', {site:2}, {withCredentials: true}).subscribe((datas) =>{
console.log('datas', datas);
});
}
當我運行它時,我收到以下錯誤:[401] Missing JWT Refresh Token
如果在 sympfony 中轉儲請求,我看到它$request->cookies->parameters是空的。當我查看 Chrome 檢查器發送的請求時,我看到以下內容:
Request URL: https://api.mysite.com/api/token/refresh
Request Method: POST
Status Code: 401 Unauthorized
Remote Address: 192.168.1.43:443
Referrer Policy: strict-origin-when-cross-origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://front.mysite.com:4200
Access-Control-Expose-Headers: link
Cache-Control: no-cache, private
Connection: Keep-Alive
Content-Type: application/json
Date: Mon, 25 Apr 2022 16:00:44 GMT
Keep-Alive: timeout=5, max=100
Server: Apache/2.4.41 (Ubuntu)
Transfer-Encoding: chunked
Vary: Authorization
X-Debug-Token: 54c0bb
X-Debug-Token-Link: https://api.mysite.com/_profiler/54c0bb
X-Robots-Tag: noindex
Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate, br
Accept-Language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7
Authorization: Bearer AVeryLongAndValidTokenHere
Connection: keep-alive
Content-Length: 10
Content-Type: application/json
Host: api.mysite.com
Origin: https://front.mysite.com:4200
Referer: https://front.mysite.com:4200/
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="100", "Google Chrome";v="100"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
(JWT 令牌被洗掉)所以你可以看到,這個 cookie 似乎沒有在請求中傳遞,這顯然可以解釋為什么我沒有在我的 symfony API 中得到它。
因此,根據我的閱讀,“配置”角度http呼叫以傳遞HttpOnly cookie的方法是將“withCredentials”選項設定為true。但這似乎不起作用。
請注意,我似乎沒有任何 CORS 問題(相同域、安全、允許憑據true)并且 HTTPS 作業正常
有什么我做錯了嗎?你有什么主意嗎?我不是以正確的方式呼叫 API 嗎?
編輯:這是我關于 cookie 的捆綁配置:
gesdinet_jwt_refresh_token:
# ...
ttl: 62000
return_expiration: true
cookie:
enabled: true
same_site: lax
path: /
domain: mysite.com
http_only: true
secure: true
remove_token_from_body: true
uj5u.com熱心網友回復:
好的,所以我的重繪 令牌在請求時未通過的原因/api/token/refresh是因為您需要withCredentials: true在“重繪 ”請求本身中使用,而且在呼叫初始“登錄”路由時也需要使用!
僅在“重繪 ”路由上使用此選項不足以使其正常作業
轉載請註明出處,本文鏈接:https://www.uj5u.com/gongcheng/467715.html
標籤:有角度的 交响乐 jwt httponly cookie-httponly
上一篇:找不到“GET/demo/koco/create”的路由:404NotFound-NotFoundHttpException
