设计令牌身份验证不返回不同域上的Set-Cookie头

时间:2017-05-04 09:47:26

标签: ruby-on-rails angularjs ruby devise http-token-authentication

我有一个使用DeviseTokenAuth的rails 4后端和一个使用ngTokenAuth的AngularJS前端。
当前端和后端部署在同一个域上时,身份验证可以正常运行。

在localhost上进行测试时,后端和前端都在两个不同端口上的localhost上运行,sign_in请求以200 OK完成,但响应不包含Set-Cookie标头,因此客户端仍然未经身份验证以下要求。

在这里,您可以看到两种情况下sign_in响应中收到的标题的副本 如果我尝试从本地运行的前端到部署在服务器上的RAILS后端进行身份验证,问题也是一样的。 CORS标头在服务器上配置如下,对于我来说,关于交叉起源的一切似乎都很好:

config.middleware.insert_before 0, "Rack::Cors" do
    allow do
    origins '*'
    resource '*', :headers => :any, :methods => [:get, :post, :options]
    end
end

部署在服务器上

Accept-Ranges:bytes
Access-Control-Allow-Credentials:true
Access-Control-Allow-Methods:GET, POST, OPTIONS
Access-Control-Allow-Origin:example.org
Access-Control-Expose-Headers:
Access-Control-Max-Age:1728000
access-token:XXXXXXXXXXOI9s2x0IuVMA
Age:0
Cache-Control:max-age=0, private, must-revalidate
client:XXXXXXXXXXAP2TsoBZTnjg
Connection:keep-alive
Content-Type:application/json; charset=utf-8
Date:Thu, 04 May 2017 09:28:17 GMT
ETag:W/"XXXXXXXXXXc86bb292d476d2366d3742"
expiry:1495099697
Server:nginx/1.10.0 (Ubuntu)
Set-Cookie:_differenthood_session=ZE1NWndTUUVmMkNDbWRWckNNbkpKdWh6SVdaVTFlaGN6XXXXXXXXXXcrb2EzSGd3SFQvN2h3Z2IxOE9BMVYrTjV6YmsvRXpWNmN4T213R2V3MEJ1WWc9PS0tbU01Ymt6YkdOc0VIUTFCK1NUVFlMZz09--861a3aebd1d79f224d9ad810a88e5d5f23e114c0; path=/; HttpOnly
token-type:Bearer
Transfer-Encoding:chunked
uid:login@email.com
Vary:Origin
X-Content-Type-Options:nosniff
X-Frame-Options:SAMEORIGIN
X-Request-Id:c935b76c-d173-48ce-b21c-5e694845148b
X-Runtime:0.629113
X-XSS-Protection:1; mode=block

在localhost上测试

Access-Control-Allow-Credentials:true
Access-Control-Allow-Methods:GET, POST, OPTIONS
Access-Control-Allow-Origin:http://localhost:9000
Access-Control-Expose-Headers:
Access-Control-Max-Age:1728000
Access-Token:XXXXXXXXXXXAiR5CQmwYpQ
Cache-Control:max-age=0, private, must-revalidate
Client:XXXXXXXXXXq2UC7GXE0qbw
Connection:Keep-Alive
Content-Length:418
Content-Type:application/json; charset=utf-8
Date:Thu, 04 May 2017 09:27:20 GMT
Etag:W/"XXXXXXXXXX37381b8c1637b2ea1bba96"
Expiry:1495099640
Server:WEBrick/1.3.1 (Ruby/2.2.6/2016-11-15)
Token-Type:Bearer
Uid:login@email.com
Vary:Origin
X-Content-Type-Options:nosniff
X-Frame-Options:SAMEORIGIN
X-Request-Id:3ef1f652-b29f-4fe7-bbb9-3de47f1acddf
X-Runtime:0.653264
X-Xss-Protection:1; mode=block

1 个答案:

答案 0 :(得分:0)

没关系。 我更深入地阅读了文档(https://github.com/lynndylanhurley/devise_token_auth#cors)并找到了为我解决问题的建议CORS配置 添加:

:expose  => ['access-token', 'expiry', 'token-type', 'uid', 'client'],

到问题中发布的CORS配置,问题得到解决。