我正在使用Laravel 5.8,正在分离前端和后端,目前正在本地主机上进行测试。
我已经解决了一些严重的CORS问题,并且我不想要安装外部作曲家程序包来解决这种简单的问题。
我只是通过向GET
发送/user
请求来发起用户会话,以设置会话Cookie,启动会话并获取CSRF令牌。
一切正常,200
响应并且没有CORS错误,尽管没有保存cookie。
Access-Control-Allow-Credentials: true
已设置。
这是一个问题,因为要登录,CSRF令牌和cookie必须匹配。因此,如果用户未设置Cookie,则无法安全地进行身份验证。
作为cookie域,我正在使用http://localhost
// The global Axios config I'm using to make all requests.
const main_axios = axios.create({
baseURL: process.env.ROOT_API + process.env.API_VERSION,
withCredentials: true,
headers : {
'Content-Type': 'application/x-www-form-urlencoded',
},
});
获取对/user
的请求以初始化Cookie,会话并获取csrf令牌:
Host: localhost:8000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:69.0) Gecko/20100101 Firefox/69.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost:8080/
Origin: http://localhost:8080
DNT: 1
Connection: keep-alive
Cache-Control: max-age=0
响应:(200)
HTTP/1.1 200 OK
Host: localhost:8000
Date: Tue, 24 Sep 2019 14:45:02 -0400
Connection: close
X-Powered-By: PHP/7.2.11
Cache-Control: no-cache, private
Date: Tue, 24 Sep 2019 18:45:02 GMT
Content-Type: application/json
Access-Control-Allow-Headers: Origin, Content-Type, Accept, Authorization, DNT, X-Requested-With, Application
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://localhost:8080
Set-Cookie: XSRF-TOKEN=<...>; expires=Tue, 24-Sep-2019 20:45:02 GMT; Max-Age=7200; path=/; domain=http://localhost
Set-Cookie: smartgames_session=<...>; expires=Tue, 24-Sep-2019 20:45:02 GMT; Max-Age=7200; path=/; domain=http://localhost
响应正文
{"token":"8yNgrCV8YNs9fU46rSHky2vonzqrmN0S8blxzUWM"}
Set-Cookies不会保存在浏览器中。
console.log(document.cookie);
""
控制台没有显示我事先得到的CORS警告。
Cors中间件:
class Cors
{
public function handle($request, Closure $next)
{
return $next($request)
->header('Access-Control-Allow-Headers', 'Origin, Content-Type, Accept, Authorization, DNT, X-Requested-With, Application')
->header('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS')
->header('Access-Control-Allow-Credentials', 'true')
->header('Access-Control-Allow-Origin', 'http://localhost:8080');
}
}
内核:
protected $middleware = [
\App\Http\Middleware\Cors::class,
...
];
protected $middlewareGroups = [
'web' => [
\App\Http\Middleware\Cors::class,
...
],
...
];
protected $routeMiddleware = [
'cors' => \App\Http\Middleware\Cors::class,
...
];
protected $middlewarePriority = [
\App\Http\Middleware\Cors::class,
...
];
路线:
Route::group(['middleware' => ['cors']], function () {
// to get cookies and get csrf
Route::get('/user', 'API\v1\UserController@user_init');
Auth::routes();
});
在启动服务器之前
$ php artisan cache:clear && php artisan route:cache && php artisan serve
任何帮助都非常感谢,我为此努力了很长时间。 谢谢大家