HttpOnly cookie 未在请求中传递

HttpOnly cookie does not get passed in request

我正在尝试在我的 symfony 项目中实现 markitosgv/JWTRefreshTokenBundle,以便获得刷新我的 JWT 令牌的方法。 为此,我想生成一个 HttpOnly cookie,这是捆绑包支持的东西。

当我从前端 (angular 13) 登录时,我得到了我的 JWT 令牌(来自 lexik/LexikJWTAuthenticationBundle),以及 set-cookie header 这样的:

Request URL: https://api.mysite.com/api/login_check
Request Method: POST
Status Code: 200 OK
Remote Address: 192.168.1.43:443
Referrer Policy: strict-origin-when-cross-origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://front.mysite.com:4200
Access-Control-Expose-Headers: link
Cache-Control: no-cache, private
Connection: Keep-Alive
Content-Type: application/json
Date: Mon, 25 Apr 2022 15:54:30 GMT
Keep-Alive: timeout=5, max=99
Server: Apache/2.4.41 (Ubuntu)
Set-Cookie: refresh_token=a2615d6dd2986680fd79807c61d050424b4e290090a4beaf1f1063c0c8f1807681d86c1c07216630a629667e711897dbae7a6083884d3f19b028aa72f9bbca84; expires=Tue, 26-Apr-2022 09:07:50 GMT; Max-Age=62000; path=/; domain=mysite.com; secure; httponly; samesite=lax
Transfer-Encoding: chunked
X-Debug-Token: e31102
X-Debug-Token-Link: https://api.mysite.com/_profiler/e31102
X-Robots-Tag: noindex

当然,我无法检查是否已创建 cookie,因为它是 HttpOnly

然后在我的 angular 中,我有一个带有以下简单代码的测试按钮:

  onCallRefreshToken() {
    this.http.post('https://api.mysite.com/api/token/refresh', {site:2}, {withCredentials: true}).subscribe((datas) =>{
      console.log('datas', datas);
    });

  }

当我 运行 它时,我收到以下错误:[401] Missing JWT Refresh Token

如果在 sympfony 中转储请求,我看到 $request->cookies->parameters 是空的。当我查看 Chrome 检查员发送的请求时,我看到以下内容:

Request URL: https://api.mysite.com/api/token/refresh
Request Method: POST
Status Code: 401 Unauthorized
Remote Address: 192.168.1.43:443
Referrer Policy: strict-origin-when-cross-origin
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://front.mysite.com:4200
Access-Control-Expose-Headers: link
Cache-Control: no-cache, private
Connection: Keep-Alive
Content-Type: application/json
Date: Mon, 25 Apr 2022 16:00:44 GMT
Keep-Alive: timeout=5, max=100
Server: Apache/2.4.41 (Ubuntu)
Transfer-Encoding: chunked
Vary: Authorization
X-Debug-Token: 54c0bb
X-Debug-Token-Link: https://api.mysite.com/_profiler/54c0bb
X-Robots-Tag: noindex
Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate, br
Accept-Language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7
Authorization: Bearer AVeryLongAndValidTokenHere
Connection: keep-alive
Content-Length: 10
Content-Type: application/json
Host: api.mysite.com
Origin: https://front.mysite.com:4200
Referer: https://front.mysite.com:4200/
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="100", "Google Chrome";v="100"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36

(故意删除 JWT 令牌) 正如您所看到的,cookie 似乎没有在请求中传递,这显然可以解释为什么我没有在我的 symfony API.

中得到它

因此,根据我的阅读,“配置”angular http 调用以传递 HttpOnly cookie 的方法是将选项“withCredentials”设置为 true。但是好像不行。

请注意,我似乎没有任何 CORS 问题(相同域,安全,allow-credential 到 true)并且 HTTPS 工作正常

我做错了什么吗?你有什么主意吗?我调用 API 的方式不对吗?

编辑:这是我关于 cookie 的捆绑配置:

gesdinet_jwt_refresh_token:
    # ...
    ttl: 62000
    return_expiration: true
    cookie:
        enabled: true
        same_site: lax
        path: /
        domain: mysite.com
        http_only: true
        secure: true
        remove_token_from_body: true

好的,所以在请求 /api/token/refresh 时我的刷新令牌未通过的原因是因为您需要在“刷新”请求本身中使用 withCredentials: true,而且在调用初始“登录”路线!

仅在“刷新”路由上使用此选项不足以使其正常工作