Ruby-on-rails Rails 4 真实性令牌
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/16258911/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Rails 4 Authenticity Token
提问by alexcoco
I was working on a new Rails 4 app (on Ruby 2.0.0-p0) when I ran into some authenticity token problems.
当我遇到一些真实性令牌问题时,我正在开发一个新的 Rails 4 应用程序(在 Ruby 2.0.0-p0 上)。
While writing a controller that responds to json (using the respond_toclass method), I got to the createaction I started getting ActionController::InvalidAuthenticityTokenexceptions when I tried to create a record using curl.
在写一个控制器,响应JSON(使用respond_to类方法),我到了create我开始行动ActionController::InvalidAuthenticityToken例外,当我试图使用创建一个记录curl。
I made sure I set -H "Content-Type: application/json"and I set the data with -d "<my data here>"but still no luck.
我确保我设置-H "Content-Type: application/json"并设置了数据,-d "<my data here>"但仍然没有运气。
I tried writing the same controller using Rails 3.2 (on Ruby 1.9.3) and I got no authenticity token problems whatsoever. I searched around and I saw that there were some changes with authenticity tokens in Rails 4. From what I understand, they are no longer automatically inserted in forms anymore? I suppose this is somehow affecting non-HTML content types.
我尝试使用 Rails 3.2(在 Ruby 1.9.3 上)编写相同的控制器,但我没有遇到任何真实性令牌问题。我四处搜索,发现 Rails 4 中的真实性令牌发生了一些变化。据我所知,它们不再自动插入表单中了?我想这在某种程度上影响了非 HTML 内容类型。
Is there any way to get around this without having to request a HTML form, snatching the authenticity token, then making another request with that token? Or am I completely missing something that's completely obvious?
有没有办法解决这个问题,而不必请求 HTML 表单,获取真实性令牌,然后使用该令牌发出另一个请求?还是我完全错过了完全明显的东西?
Edit:I just tried creating a new record in a new Rails 4 app using a scaffold without changing anything and I'm running into the same problem so I guess it's not something I did.
编辑:我只是尝试使用脚手架在一个新的 Rails 4 应用程序中创建一个新记录而没有改变任何东西,我遇到了同样的问题,所以我想这不是我做的。
回答by alexcoco
I think I just figured it out. I changed the (new) default
我想我只是想通了。我更改了(新的)默认值
protect_from_forgery with: :exception
to
到
protect_from_forgery with: :null_session
as per the comment in ApplicationController.
根据 中的评论ApplicationController。
# Prevent CSRF attacks by raising an exception.
# For APIs, you may want to use :null_session instead.
You can see the difference by looking at the source for request_forgery_protecton.rb, or, more specifically, the following lines:
您可以通过查看 的来源request_forgery_protecton.rb,或更具体地说,以下几行来查看差异:
In Rails 3.2:
# This is the method that defines the application behavior when a request is found to be unverified.
# By default, \Rails resets the session when it finds an unverified request.
def handle_unverified_request
reset_session
end
In Rails 4:
def handle_unverified_request
forgery_protection_strategy.new(self).handle_unverified_request
end
Which will call the following:
这将调用以下内容:
def handle_unverified_request
raise ActionController::InvalidAuthenticityToken
end
回答by xiaoboa
Instead of turn off the csrf protection, it's better to add the following line of code into the form
与其关闭csrf保护,不如在表单中加入下面这行代码
<%= tag(:input, :type => "hidden", :name => request_forgery_protection_token.to_s, :value => form_authenticity_token) %>
and if you're using form_for or form_tag to generate the form, then it will automatically add the above line of code in the form
如果你使用form_for或form_tag来生成表单,那么它会自动在表单中添加上面这行代码
回答by Carlos
Adding the following line into the form worked for me:
将以下行添加到对我有用的表单中:
<%= hidden_field_tag :authenticity_token, form_authenticity_token %>
回答by roamingthings
I don't think it's good to generally turn off CSRF protection as long as you don't exclusively implement an API.
只要您不专门实现 API,我认为通常关闭 CSRF 保护是不好的。
When looking at the Rails 4 API documentation for ActionControllerI found that you can turn off forgery protection on a per controller or per method base.
在查看ActionController的 Rails 4 API 文档时,我发现您可以关闭每个控制器或每个方法库的伪造保护。
For example to turn off CSRF protection for methods you can use
例如,为您可以使用的方法关闭 CSRF 保护
class FooController < ApplicationController
protect_from_forgery except: :index
回答by user1756254
Came across the same problem. Fixed it by adding to my controller:
遇到了同样的问题。通过添加到我的控制器来修复它:
skip_before_filter :verify_authenticity_token, if: :json_request?
回答by zechtz
Did you try?
你试过了吗?
protect_from_forgery with: :null_session, if: Proc.new {|c| c.request.format.json? }
回答by konung
This official doc - talks about how to turn off forgery protection for api properly http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection.html
这个官方文档 - 讨论如何正确关闭 api 的伪造保护 http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection.html
回答by B Liu
This is a security feature in Rails. Add this line of code in the form:
这是 Rails 中的一项安全功能。在表单中添加这行代码:
<%= hidden_field_tag :authenticity_token, form_authenticity_token %>
Documentation can be found here: http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection.html
文档可以在这里找到:http: //api.rubyonrails.org/classes/ActionController/RequestForgeryProtection.html
回答by Kent Aguilar
These features were added for security and forgery protection purposes.
However, to answer your question, here are some inputs.
You can add these lines after your the controller name.
添加这些功能是为了安全和防伪。
但是,为了回答您的问题,这里有一些输入。您可以在控制器名称后添加这些行。
Like so,
像这样,
class NameController < ApplicationController
skip_before_action :verify_authenticity_token
Here are some lines for different versions of rails.
这里有一些针对不同版本 rails 的行。
Rails 3
导轨 3
skip_before_filter :verify_authenticity_token
skip_before_filter :verify_authenticity_token
Rails 4:
轨道 4:
skip_before_action :verify_authenticity_token
skip_before_action :verify_authenticity_token
Should you intend to disable this security feature for all controller routines, you can change the value of protect_from_forgeryto :null_sessionon your application_controller.rb file.
如果您打算为所有控制器例程禁用此安全功能,您可以在 application_controller.rb 文件中将protect_from_forgery的值更改为:null_session。
Like so,
像这样,
class ApplicationController < ActionController::Base
protect_from_forgery with: :null_session
end
回答by user1555400
If you're using jQuery with rails, be wary of allowing entry to methods without verifying the authenticity token.
如果您将 jQuery 与 rails 结合使用,请注意在未验证真实性令牌的情况下允许进入方法。
jquery-ujs can manage the tokens for you
jquery-ujs 可以为你管理令牌
You should have it already as part of the jquery-rails gem, but you might need to include it in application.js with
您应该已经将它作为 jquery-rails gem 的一部分,但您可能需要将它包含在 application.js 中
//= require jquery_ujs
That's all you need - your ajax call should now work
这就是您所需要的 - 您的 ajax 调用现在应该可以工作了
For more information, see: https://github.com/rails/jquery-ujs
更多信息请参见:https: //github.com/rails/jquery-ujs
