Laravel Sanctum 令牌安全性问题/搜索关于 Sanctum 的解释非常详细的教程
Problem With Laravel Sanctum Token Security / Search of very well explained tutorial about Sanctum
我阅读了 Laravel Jetstream 和 Sanctum 的官方文档,但我仍然不明白一些事情。
首先,我使用
保护端点
Route::get('/endpointtoprotect', [AuthController::class, 'endpointtoprotect'])->middleware('auth:sanctum');
因此,要使用该端点,我需要来自 'api/login' 的令牌。我检查了一下,它正在工作。但是,当我故意放置一个不正确的令牌时,它不起作用,但它没有返回 401 ,而是 returns 我使用以下代码进入登录页面的 200:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="csrf-token" content="wwDHIrOCqffknYEmWbOZi8ZQmlCRuCw2SfqdI0C5">
<title>Laravel</title>
<!-- Fonts -->
<link rel="stylesheet" href="https://fonts.googleapis.com/css2?family=Nunito:wght@400;600;700&display=swap">
<!-- Styles -->
<link rel="stylesheet" href="/css/app.css">
<!-- Scripts -->
<script src="/js/app.js" defer></script>
</head>
<body>
<div class="font-sans text-gray-900 antialiased">
<div class="min-h-screen flex flex-col sm:justify-center items-center pt-6 sm:pt-0 bg-gray-100">
<div>
<a href="/">
<svg class="w-16 h-16" viewbox="0 0 48 48" fill="none" xmlns="http://www.w3.org/2000/svg">
<path
d="M11.395 44.428C4.557 40.198 0 32.632 0 24 0 10.745 10.745 0 24 0a23.891 23.891 0 0113.997 4.502c-.2 17.907-11.097 33.245-26.602 39.926z"
fill="#6875F5" />
<path
d="M14.134 45.885A23.914 23.914 0 0024 48c13.255 0 24-10.745 24-24 0-3.516-.756-6.856-2.115-9.866-4.659 15.143-16.608 27.092-31.75 31.751z"
fill="#6875F5" />
</svg>
</a>
</div>
<div class="w-full sm:max-w-md mt-6 px-6 py-4 bg-white shadow-md overflow-hidden sm:rounded-lg">
<form method="POST" action="http://localhost:8000/login">
<input type="hidden" name="_token" value="wwDHIrOCqffknYEmWbOZi8ZQmlCRuCw2SfqdI0C5">
<div>
<label class="block font-medium text-sm text-gray-700" for="email">
Email
</label>
<input class="border-gray-300 focus:border-indigo-300 focus:ring focus:ring-indigo-200 focus:ring-opacity-50 rounded-md shadow-sm block mt-1 w-full" id="email" type="email" name="email" required="required" autofocus="autofocus">
</div>
<div class="mt-4">
<label class="block font-medium text-sm text-gray-700" for="password">
Password
</label>
<input class="border-gray-300 focus:border-indigo-300 focus:ring focus:ring-indigo-200 focus:ring-opacity-50 rounded-md shadow-sm block mt-1 w-full" id="password" type="password" name="password" required="required" autocomplete="current-password">
</div>
<div class="block mt-4">
<label for="remember_me" class="flex items-center">
<input type="checkbox" class="rounded border-gray-300 text-indigo-600 shadow-sm focus:border-indigo-300 focus:ring focus:ring-indigo-200 focus:ring-opacity-50" id="remember_me" name="remember">
<span class="ml-2 text-sm text-gray-600">Remember me</span>
</label>
</div>
<div class="flex items-center justify-end mt-4">
<a class="underline text-sm text-gray-600 hover:text-gray-900"
href="http://localhost:8000/forgot-password">
Forgot your password?
</a>
<button type="submit" class="inline-flex items-center px-4 py-2 bg-gray-800 border border-transparent rounded-md font-semibold text-xs text-white uppercase tracking-widest hover:bg-gray-700 active:bg-gray-900 focus:outline-none focus:border-gray-900 focus:ring focus:ring-gray-300 disabled:opacity-25 transition ml-4">
Log in
</button>
</div>
</form>
</div>
</div>
</div>
</body>
</html>```
Does someone has a better tutorial or can explain to me basics of this sanctum authorization? It is supposed to be a built-in integrated solution but I don't see any simplicity about this. I'm seeing there is more documentation about JWT Tokens, but the functionality may be similar.
解决方案:
向 /api 个端点发出请求时,请包含 HTTP header accept: application/json.
我阅读了 Laravel Jetstream 和 Sanctum 的官方文档,但我仍然不明白一些事情。
首先,我使用
保护端点Route::get('/endpointtoprotect', [AuthController::class, 'endpointtoprotect'])->middleware('auth:sanctum');
因此,要使用该端点,我需要来自 'api/login' 的令牌。我检查了一下,它正在工作。但是,当我故意放置一个不正确的令牌时,它不起作用,但它没有返回 401 ,而是 returns 我使用以下代码进入登录页面的 200:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="csrf-token" content="wwDHIrOCqffknYEmWbOZi8ZQmlCRuCw2SfqdI0C5">
<title>Laravel</title>
<!-- Fonts -->
<link rel="stylesheet" href="https://fonts.googleapis.com/css2?family=Nunito:wght@400;600;700&display=swap">
<!-- Styles -->
<link rel="stylesheet" href="/css/app.css">
<!-- Scripts -->
<script src="/js/app.js" defer></script>
</head>
<body>
<div class="font-sans text-gray-900 antialiased">
<div class="min-h-screen flex flex-col sm:justify-center items-center pt-6 sm:pt-0 bg-gray-100">
<div>
<a href="/">
<svg class="w-16 h-16" viewbox="0 0 48 48" fill="none" xmlns="http://www.w3.org/2000/svg">
<path
d="M11.395 44.428C4.557 40.198 0 32.632 0 24 0 10.745 10.745 0 24 0a23.891 23.891 0 0113.997 4.502c-.2 17.907-11.097 33.245-26.602 39.926z"
fill="#6875F5" />
<path
d="M14.134 45.885A23.914 23.914 0 0024 48c13.255 0 24-10.745 24-24 0-3.516-.756-6.856-2.115-9.866-4.659 15.143-16.608 27.092-31.75 31.751z"
fill="#6875F5" />
</svg>
</a>
</div>
<div class="w-full sm:max-w-md mt-6 px-6 py-4 bg-white shadow-md overflow-hidden sm:rounded-lg">
<form method="POST" action="http://localhost:8000/login">
<input type="hidden" name="_token" value="wwDHIrOCqffknYEmWbOZi8ZQmlCRuCw2SfqdI0C5">
<div>
<label class="block font-medium text-sm text-gray-700" for="email">
Email
</label>
<input class="border-gray-300 focus:border-indigo-300 focus:ring focus:ring-indigo-200 focus:ring-opacity-50 rounded-md shadow-sm block mt-1 w-full" id="email" type="email" name="email" required="required" autofocus="autofocus">
</div>
<div class="mt-4">
<label class="block font-medium text-sm text-gray-700" for="password">
Password
</label>
<input class="border-gray-300 focus:border-indigo-300 focus:ring focus:ring-indigo-200 focus:ring-opacity-50 rounded-md shadow-sm block mt-1 w-full" id="password" type="password" name="password" required="required" autocomplete="current-password">
</div>
<div class="block mt-4">
<label for="remember_me" class="flex items-center">
<input type="checkbox" class="rounded border-gray-300 text-indigo-600 shadow-sm focus:border-indigo-300 focus:ring focus:ring-indigo-200 focus:ring-opacity-50" id="remember_me" name="remember">
<span class="ml-2 text-sm text-gray-600">Remember me</span>
</label>
</div>
<div class="flex items-center justify-end mt-4">
<a class="underline text-sm text-gray-600 hover:text-gray-900"
href="http://localhost:8000/forgot-password">
Forgot your password?
</a>
<button type="submit" class="inline-flex items-center px-4 py-2 bg-gray-800 border border-transparent rounded-md font-semibold text-xs text-white uppercase tracking-widest hover:bg-gray-700 active:bg-gray-900 focus:outline-none focus:border-gray-900 focus:ring focus:ring-gray-300 disabled:opacity-25 transition ml-4">
Log in
</button>
</div>
</form>
</div>
</div>
</div>
</body>
</html>```
Does someone has a better tutorial or can explain to me basics of this sanctum authorization? It is supposed to be a built-in integrated solution but I don't see any simplicity about this. I'm seeing there is more documentation about JWT Tokens, but the functionality may be similar.
解决方案:
向 /api 个端点发出请求时,请包含 HTTP header accept: application/json.