首先,我的设置中有SESSION_SAVE_EVERY_REQUEST = True
使用OAuth 2.0,我有一个视图,可以让用户登录QuickBooks
def get_CSRF_token(request):
token = request.session.get('csrfToken', None)
if token is None:
token = getSecretKey()
request.session['csrfToken'] = token
return token
def connectToQuickbooks(request):
url = getDiscoveryDocument.auth_endpoint
params = {
'scope': settings.ACCOUNTING_SCOPE,
'redirect_uri': settings.REDIRECT_URI,
'response_type': 'code',
'state': get_CSRF_token(request),
'client_id': settings.CLIENT_ID
}
url += '?' + urlencode(params)
return redirect(url)
getSecretKey生成一些随机的40个字符串
然后,QuickBooks将我保存到会话中的相同随机字符串发送回state参数
def authCodeHandler(request):
state = request.GET.get('state', None)
error = request.GET.get('error', None)
csrfToken = get_CSRF_token(request)
print("State: " + state + " csrfToken: " + csrfToken)
if error == 'access_denied':
return redirect('index')
if state is None:
return HttpResponseBadRequest()
elif state != csrfToken: # validate against CSRF attacks
return HttpResponse('unauthorized', status=401)
...
...
但是当调用get_CSRF_token时,它给了我一些与我在会话中不同的东西。