ios Rails 从 RestKit POST 中显示“警告:无法验证 CSRF 令牌的真实性”
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/10167956/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Rails shows "WARNING: Can't verify CSRF token authenticity" from a RestKit POST
提问by ohho
When I try to POST from RestKit, there is a warning in Rails console:
当我尝试从 POST 时RestKit,Rails 控制台中出现警告:
Started POST "/friends" for 127.0.0.1 at 2012-04-16 09:58:10 +0800
Processing by FriendsController#create as */*
Parameters: {"friend"=>{"myself_id"=>"m001", "friend_id"=>"f001"}}
WARNING: Can't verify CSRF token authenticity
(0.1ms) BEGIN
SQL (1.7ms) INSERT INTO `friends` (`friend_id`, `myself_id`) VALUES ('f001', 'm001')
(1.1ms) COMMIT
Redirected to http://127.0.0.1:3000/friends/8
Completed 302 Found in 6ms (ActiveRecord: 3.0ms)
Here is client code:
这是客户端代码:
NSMutableDictionary *attributes = [[NSMutableDictionary alloc] init];
[attributes setObject: @"f001" forKey: @"friend_id"];
[attributes setObject: @"m001" forKey: @"myself_id"];
NSMutableDictionary *params = [NSMutableDictionary dictionaryWithObject:attributes forKey:@"friend"];
[[RKClient sharedClient] post:@"/friends" params:params delegate:self];
How can I get rid of the warning?
我怎样才能摆脱警告?
回答by nmott
You can safely remove the warnings with the following:
您可以使用以下方法安全地删除警告:
skip_before_filter :verify_authenticity_token
This should go into every Rails API controller that you have, or if you have a base_controllerfor all API controllers then put it there.
这应该进入你拥有的每个 Rails API 控制器,或者如果你有一个base_controller用于所有 API 控制器,那么把它放在那里。
If you can also access your app through a web browser then do not put this line in the application_controlleras you will be creating a security vulnerability.
如果您还可以通过 Web 浏览器访问您的应用程序,请不要将此行放在 中,application_controller因为您将创建安全漏洞。
It is safe to remove csrffor API calls as the particular vulnerability can only be executed through a web browser.
删除csrfAPI 调用是安全的,因为特定漏洞只能通过 Web 浏览器执行。
Update 16th December 2013
2013 年 12 月 16 日更新
I've seen some links to this answer and some other content which suggests a clarification. An API may be vulnerable to CSRF if you use web based authentication methods to authenticate the API - e.g. sessions or cookies.
我已经看到了一些指向此答案的链接以及一些其他内容,这些内容建议进行澄清。如果您使用基于 Web 的身份验证方法来验证 API(例如会话或 cookie),则 API 可能容易受到 CSRF 的攻击。
There is some good detail in Is your Web API susceptible to a CSRF exploit?.
有一些很好的详细是Web API易受CSRF攻击?.
My advice still stands for users of RestKit as user credentials are unlikely to be based on sessions or cookies but rather usernames or api keys.
我的建议仍然适用于 RestKit 用户,因为用户凭据不太可能基于会话或 cookie,而是基于用户名或 api 密钥。
If your API can be authenticated with session or cookies then you should avoid skipping : verify_authenticity_tokenand you should think about moving to api key based authentication.
如果您的 API 可以使用会话或 cookie 进行身份验证,那么您应该避免跳过: verify_authenticity_token,您应该考虑转向基于 api 密钥的身份验证。
If your API can be authenticated with a username and password that is also used to authenticate on the web there is still a potential exploit, although it is less serious as it would require the user to type in their username and password to your site in the HTTP Auth challenge box while visiting the site with the exploit. Again, for the best security you should think about moving to api key based authentication.
如果您的 API 可以使用也用于在网络上进行身份验证的用户名和密码进行身份验证,那么仍然存在潜在的漏洞,尽管它不那么严重,因为它需要用户在您的站点中输入他们的用户名和密码使用漏洞访问站点时的 HTTP 身份验证挑战框。同样,为了获得最佳安全性,您应该考虑转向基于 api 密钥的身份验证。
It's worth noting that I don't agree that you need to add :only => [:your_method]for additional protection, provided that you have isolated api controllers, your api is not mixed with your web responses and you are not using session or cookies. If these are in place you can safely add the skip_before_filterinto a base_controllerfor your api.
值得注意的是,我不同意你需要添加:only => [:your_method]额外的保护,前提是你有隔离的 api 控制器,你的 api 没有与你的 web 响应混合,并且你没有使用会话或 cookie。如果这些都准备好了,您可以安全地将其添加skip_before_filter到base_controller您的 api 中。
