Dropbox API 不再工作,CSRF 不匹配
Dropbox API no longer working, CSRF mismatch
我使用 Dropbox PHP SDK。一切正常,但突然间身份验证过程不再有效,而在此区域的代码没有任何更改。
我收到错误 'CSRF Mismatch'。
查看 URL 中的所有 CSRF 令牌时,一切似乎都是正确的:
https://myapp.herokuapp.com/dropbox/callback.php?state=L9yH1hf7pgiOY7j7fsFegA%3D%3D&code=redacted
CSRF 令牌匹配。日志显示它们不是:
[15-May-2015 12:09:44 UTC] /dropbox-auth-finish: CSRF mismatch: Expected 'sW2Zy4OD7YBijNHaeCtyjQ==', got 'L9yH1hf7pgiOY7j7fsFegA=='
我与 Dropbox API 支持人员进行了交谈。他们非常乐于助人并提出了很多建议:
This error indicates that the state value returned to your redirect
URI doesn't match the CSRF token that was stored in the session. The
state value on your sample redirect URI matches the state value given
to the /authorize URL though, so it looks like the issue is with the
value stored in the session. A few things come to mind that might
cause this:
- Are you calling WebAuth.start multiple times for a single app authorization flow? If so, it's possible you're storing the CSRF token
for one, but are browsing to the /authorize URL with the other.
- Is your session storage not working correctly? The Dropbox PHP SDK uses the csrfTokenStore you pass to the WebAuth constructor. If that
isn't able to store the new CSRF token, or is returning stale values,
that could cause this mismatch.
- Are you switching between different instances of your app, and so accessing different sessions?
原来是第一个理论化的问题。 AJAX 调用发生在后台,其中有一个登录检查也重定向到授权页面,从而创建多个请求。一旦我禁用它,问题就消失了。
我使用 Dropbox PHP SDK。一切正常,但突然间身份验证过程不再有效,而在此区域的代码没有任何更改。
我收到错误 'CSRF Mismatch'。
查看 URL 中的所有 CSRF 令牌时,一切似乎都是正确的:
https://myapp.herokuapp.com/dropbox/callback.php?state=L9yH1hf7pgiOY7j7fsFegA%3D%3D&code=redacted
CSRF 令牌匹配。日志显示它们不是:
[15-May-2015 12:09:44 UTC] /dropbox-auth-finish: CSRF mismatch: Expected 'sW2Zy4OD7YBijNHaeCtyjQ==', got 'L9yH1hf7pgiOY7j7fsFegA=='
我与 Dropbox API 支持人员进行了交谈。他们非常乐于助人并提出了很多建议:
This error indicates that the state value returned to your redirect URI doesn't match the CSRF token that was stored in the session. The state value on your sample redirect URI matches the state value given to the /authorize URL though, so it looks like the issue is with the value stored in the session. A few things come to mind that might cause this:
- Are you calling WebAuth.start multiple times for a single app authorization flow? If so, it's possible you're storing the CSRF token for one, but are browsing to the /authorize URL with the other.
- Is your session storage not working correctly? The Dropbox PHP SDK uses the csrfTokenStore you pass to the WebAuth constructor. If that isn't able to store the new CSRF token, or is returning stale values, that could cause this mismatch.
- Are you switching between different instances of your app, and so accessing different sessions?
原来是第一个理论化的问题。 AJAX 调用发生在后台,其中有一个登录检查也重定向到授权页面,从而创建多个请求。一旦我禁用它,问题就消失了。