HttpOnly cookie 未在请求中传递
HttpOnly cookie does not get passed in request
我正在尝试在我的 symfony 项目中实现 markitosgv/JWTRefreshTokenBundle,以便获得刷新我的 JWT 令牌的方法。
为此,我想生成一个 HttpOnly cookie,这是捆绑包支持的东西。
当我从前端 (angular 13) 登录时,我得到了我的 JWT 令牌(来自 lexik/LexikJWTAuthenticationBundle),以及 set-cookie header 这样的:
Request URL: https://api.mysite.com/api/login_check
Request Method: POST
Status Code: 200 OK
Remote Address: 192.168.1.43:443
Referrer Policy: strict-origin-when-cross-origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://front.mysite.com:4200
Access-Control-Expose-Headers: link
Cache-Control: no-cache, private
Connection: Keep-Alive
Content-Type: application/json
Date: Mon, 25 Apr 2022 15:54:30 GMT
Keep-Alive: timeout=5, max=99
Server: Apache/2.4.41 (Ubuntu)
Set-Cookie: refresh_token=a2615d6dd2986680fd79807c61d050424b4e290090a4beaf1f1063c0c8f1807681d86c1c07216630a629667e711897dbae7a6083884d3f19b028aa72f9bbca84; expires=Tue, 26-Apr-2022 09:07:50 GMT; Max-Age=62000; path=/; domain=mysite.com; secure; httponly; samesite=lax
Transfer-Encoding: chunked
X-Debug-Token: e31102
X-Debug-Token-Link: https://api.mysite.com/_profiler/e31102
X-Robots-Tag: noindex
当然,我无法检查是否已创建 cookie,因为它是 HttpOnly
然后在我的 angular 中,我有一个带有以下简单代码的测试按钮:
onCallRefreshToken() {
this.http.post('https://api.mysite.com/api/token/refresh', {site:2}, {withCredentials: true}).subscribe((datas) =>{
console.log('datas', datas);
});
}
当我 运行 它时,我收到以下错误:[401] Missing JWT Refresh Token
如果在 sympfony 中转储请求,我看到 $request->cookies->parameters 是空的。当我查看 Chrome 检查员发送的请求时,我看到以下内容:
Request URL: https://api.mysite.com/api/token/refresh
Request Method: POST
Status Code: 401 Unauthorized
Remote Address: 192.168.1.43:443
Referrer Policy: strict-origin-when-cross-origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://front.mysite.com:4200
Access-Control-Expose-Headers: link
Cache-Control: no-cache, private
Connection: Keep-Alive
Content-Type: application/json
Date: Mon, 25 Apr 2022 16:00:44 GMT
Keep-Alive: timeout=5, max=100
Server: Apache/2.4.41 (Ubuntu)
Transfer-Encoding: chunked
Vary: Authorization
X-Debug-Token: 54c0bb
X-Debug-Token-Link: https://api.mysite.com/_profiler/54c0bb
X-Robots-Tag: noindex
Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate, br
Accept-Language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7
Authorization: Bearer AVeryLongAndValidTokenHere
Connection: keep-alive
Content-Length: 10
Content-Type: application/json
Host: api.mysite.com
Origin: https://front.mysite.com:4200
Referer: https://front.mysite.com:4200/
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="100", "Google Chrome";v="100"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
(故意删除 JWT 令牌)
正如您所看到的,cookie 似乎没有在请求中传递,这显然可以解释为什么我没有在我的 symfony API.
中得到它
因此,根据我的阅读,“配置”angular http 调用以传递 HttpOnly cookie 的方法是将选项“withCredentials”设置为 true。但是好像不行。
请注意,我似乎没有任何 CORS 问题(相同域,安全,allow-credential 到 true)并且 HTTPS 工作正常
我做错了什么吗?你有什么主意吗?我调用 API 的方式不对吗?
编辑:这是我关于 cookie 的捆绑配置:
gesdinet_jwt_refresh_token:
# ...
ttl: 62000
return_expiration: true
cookie:
enabled: true
same_site: lax
path: /
domain: mysite.com
http_only: true
secure: true
remove_token_from_body: true
好的,所以在请求 /api/token/refresh 时我的刷新令牌未通过的原因是因为您需要在“刷新”请求本身中使用 withCredentials: true,而且在调用初始“登录”路线!
仅在“刷新”路由上使用此选项不足以使其正常工作
我正在尝试在我的 symfony 项目中实现 markitosgv/JWTRefreshTokenBundle,以便获得刷新我的 JWT 令牌的方法。
为此,我想生成一个 HttpOnly cookie,这是捆绑包支持的东西。
当我从前端 (angular 13) 登录时,我得到了我的 JWT 令牌(来自 lexik/LexikJWTAuthenticationBundle),以及 set-cookie header 这样的:
Request URL: https://api.mysite.com/api/login_check
Request Method: POST
Status Code: 200 OK
Remote Address: 192.168.1.43:443
Referrer Policy: strict-origin-when-cross-origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://front.mysite.com:4200
Access-Control-Expose-Headers: link
Cache-Control: no-cache, private
Connection: Keep-Alive
Content-Type: application/json
Date: Mon, 25 Apr 2022 15:54:30 GMT
Keep-Alive: timeout=5, max=99
Server: Apache/2.4.41 (Ubuntu)
Set-Cookie: refresh_token=a2615d6dd2986680fd79807c61d050424b4e290090a4beaf1f1063c0c8f1807681d86c1c07216630a629667e711897dbae7a6083884d3f19b028aa72f9bbca84; expires=Tue, 26-Apr-2022 09:07:50 GMT; Max-Age=62000; path=/; domain=mysite.com; secure; httponly; samesite=lax
Transfer-Encoding: chunked
X-Debug-Token: e31102
X-Debug-Token-Link: https://api.mysite.com/_profiler/e31102
X-Robots-Tag: noindex
当然,我无法检查是否已创建 cookie,因为它是 HttpOnly
然后在我的 angular 中,我有一个带有以下简单代码的测试按钮:
onCallRefreshToken() {
this.http.post('https://api.mysite.com/api/token/refresh', {site:2}, {withCredentials: true}).subscribe((datas) =>{
console.log('datas', datas);
});
}
当我 运行 它时,我收到以下错误:[401] Missing JWT Refresh Token
如果在 sympfony 中转储请求,我看到 $request->cookies->parameters 是空的。当我查看 Chrome 检查员发送的请求时,我看到以下内容:
Request URL: https://api.mysite.com/api/token/refresh
Request Method: POST
Status Code: 401 Unauthorized
Remote Address: 192.168.1.43:443
Referrer Policy: strict-origin-when-cross-origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://front.mysite.com:4200
Access-Control-Expose-Headers: link
Cache-Control: no-cache, private
Connection: Keep-Alive
Content-Type: application/json
Date: Mon, 25 Apr 2022 16:00:44 GMT
Keep-Alive: timeout=5, max=100
Server: Apache/2.4.41 (Ubuntu)
Transfer-Encoding: chunked
Vary: Authorization
X-Debug-Token: 54c0bb
X-Debug-Token-Link: https://api.mysite.com/_profiler/54c0bb
X-Robots-Tag: noindex
Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate, br
Accept-Language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7
Authorization: Bearer AVeryLongAndValidTokenHere
Connection: keep-alive
Content-Length: 10
Content-Type: application/json
Host: api.mysite.com
Origin: https://front.mysite.com:4200
Referer: https://front.mysite.com:4200/
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="100", "Google Chrome";v="100"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
(故意删除 JWT 令牌) 正如您所看到的,cookie 似乎没有在请求中传递,这显然可以解释为什么我没有在我的 symfony API.
中得到它因此,根据我的阅读,“配置”angular http 调用以传递 HttpOnly cookie 的方法是将选项“withCredentials”设置为 true。但是好像不行。
请注意,我似乎没有任何 CORS 问题(相同域,安全,allow-credential 到 true)并且 HTTPS 工作正常
我做错了什么吗?你有什么主意吗?我调用 API 的方式不对吗?
编辑:这是我关于 cookie 的捆绑配置:
gesdinet_jwt_refresh_token:
# ...
ttl: 62000
return_expiration: true
cookie:
enabled: true
same_site: lax
path: /
domain: mysite.com
http_only: true
secure: true
remove_token_from_body: true
好的,所以在请求 /api/token/refresh 时我的刷新令牌未通过的原因是因为您需要在“刷新”请求本身中使用 withCredentials: true,而且在调用初始“登录”路线!
仅在“刷新”路由上使用此选项不足以使其正常工作