无法验证 CSRF 令牌的真实性!带有 POST 的 RAILS API

【问题标题】:Can't verify CSRF token authenticity! RAILS API with POST无法验证 CSRF 令牌的真实性!带有 POST 的 RAILS API
【发布时间】:2016-09-17 11:09:05
【问题描述】:

我尝试使用 Rails API 发布一个 json 文件。 我已尝试修复但无法运行 这是我的问题:

服务器日志:

Started POST "/students/" for 127.0.0.1 at 2016-09-17 17:45:33 +0700
  ActiveRecord::SchemaMigration Load (0.0ms)  SELECT "schema_migrations".* FROM "schema_migrations"
Processing by Devise::RegistrationsController#create as */*
  Parameters: {"student"=>{"name"=>"Duong", "score"=>"10"}, "registration"=>{"student"=>{"name"=>"Duong", "score"=>"10"}}}
Can't verify CSRF token authenticity.
Unpermitted parameters: name, score
   (0.0ms)  begin transaction
   (0.0ms)  rollback transaction
  Rendering C:/RailsInstaller/Ruby2.2.0/lib/ruby/gems/2.2.0/gems/devise-4.2.0/app/views/devise/registrations/new.html.erb within layouts/application
  Rendered C:/RailsInstaller/Ruby2.2.0/lib/ruby/gems/2.2.0/gems/devise-4.2.0/app/views/devise/shared/_links.html.erb (10.0ms)
  Rendered C:/RailsInstaller/Ruby2.2.0/lib/ruby/gems/2.2.0/gems/devise-4.2.0/app/views/devise/registrations/new.html.erb within layouts/application (60.0ms)
Completed 500 Internal Server Error in 442ms (ActiveRecord: 0.0ms)

学生.rb

这是我的学生模型

class Student < ApplicationRecord
  # Include default devise modules. Others available are:
  # :confirmable, :lockable, :timeoutable and :omniauthable
  devise :database_authenticatable, :registerable,
         :recoverable, :rememberable, :trackable, :validatable
end

Application_controller

我有修复异常 => null_session

class ApplicationController < ActionController::Base

  protect_from_forgery with: :null_session

end

Student_controller

class Api::StudentsController < ApplicationController
  def index
    students = Student.all
    render json: students, status: 200
  end
  def show
    response_with Student.find(params[:id])
  end
  def create
    student = Student.new(student_params)
    #if you save successfully than response with json data and status code 201
    if student.save
      render json: user, status: 201, location: student
    else
      render json: {error: user.errors}, status: 422
    end
  end
  private
  def student_params
    params.require(:student).permit(:name, :score)
  end
end

路由器.rb

Rails.application.routes.draw do
  devise_for :students
  namespace :api, path: '/',constraints: {subdomain: 'api'} do
    resources :students, only: [:index, :show, :create]
  end
end

但是,当我向 api.1312100.com/students/ 发送帖子时

{"student": {"name": "Duong", "score": "10"}}

有一个错误:

500 internal server error

【问题讨论】:

  • 你的 中有 吗?
  • 在哪里?
  • 关于 CSRF 错误我不能说太多。但您必须修复 Unpermitted parameters: name, score 错误。尝试将这些参数(即名称和分数)列入白名单

标签: ruby-on-rails json rest


【解决方案1】:

Api::StudentsController 中添加:

skip_before_action :verify_authenticity_token

【讨论】:

  • 想了很多,但还是有:Unpermitted parameters: name, score
  • 你调用 students/ 使用 Post 方法,对于 api 你可以使用你的 api 控制器调用 /api/students/ 使用 post 方法
【解决方案2】:

冰壶:

curl -i -H "Accept: application/json" -H "Content-type:application/json" -X POST -d '{"student": {"name": "Duong", "score": "10"}}' http://api.1312100.com/students/

应用控制器

class ApplicationController < ActionController::Base
    protect_from_forgery with: :exception, if: Proc.new { |c| c.request.format != 'application/json' }
    protect_from_forgery with: :null_session, if: Proc.new { |c| c.request.format == 'application/json' }
end

【讨论】:

  • 这是一个性感的应用程序控制器。 ?
猜你喜欢
  • 2016-09-17
  • 2017-07-15
  • 2015-07-24
  • 2012-05-08
  • 2015-12-29
  • 2023-03-26
  • 2012-12-11
  • 2019-07-15
  • 2014-07-04
相关资源
最近更新 更多
热门标签
Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode