如何使用httpOnly cookie在受保护的路由上发出GET请求? (带有JWT的Flask REST Api)

时间:2020-07-16 10:33:32

标签: flask flask-restful flask-jwt-extended flask-jwt

我尝试使用httpOnly令牌重建我的API:

这是我的登录端点:

@api.route("/login")
class UserLogin(Resource):
    def post(self):
        data = dict(login=True)
        resp = make_response(jsonify(**data), 200)
        access_token = create_access_token(identity=user["id"])
        refresh_token = create_refresh_token(user)
        set_access_cookies(resp, access_token)
        set_refresh_cookies(resp, refresh_token)
        return resp

响应头似乎包含令牌:

Set-Cookie: access_token_cookie=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE1OTQ4OTUyMTEsIm5iZiI6MTU5NDg5NTIxMSwianRpIjoiYzI4ZmRkYTMtMmU1OC00OTY1LTg0MGEtNjIzZWM1M2E0NDEwIiwiZXhwIjoxNTk0ODk2MTExLCJpZGVudGl0eSI6MzgsImZyZXNoIjpmYWxzZSwidHlwZSI6ImFjY2VzcyJ9.TY6_N48Iks1_gqrot4iHS6r7rNjXN2egXpTMhSz_jHU; HttpOnly; Path=/api/

Set-Cookie:
refresh_token_cookie=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE1OTQ4OTUyMTEsIm5iZiI6MTU5NDg5NTIxMSwianRpIjoiYTY2OTkxMDQtYWEwNi00MTc2LWE5NmEtYWJjZWExOGJkMjkxIiwiZXhwIjoxNTk3NDg3MjExLCJpZGVudGl0eSI6eyJpZCI6MzgsImVtYWlsIjoibGFuZ21hcmt1c0Bob3RtYWlsLmNvbSIsInBhc3N3b3JkIjoiJDJiJDEyJEVCOTZGbVhYemRVcEdvRWs4LlFJVk94bzhlZnZXTnZUdkkycE5vRmtlQllsbXpVRmQzVGJlIiwiYWN0aXZlIjp0cnVlLCJjcmVhdGVkX2RhdGUiOiIyMDIwLTA3LTE1IDE4OjQ2OjQxIn0sInR5cGUiOiJyZWZyZXNoIn0.8wbKOK2lbzasICoIXS2akfNxhDu8wpmarkzmWXoGUBw; HttpOnly; Path=/token/refresh

我尝试使用它们访问此(通常)受保护的端点,并检查哪个用户实际尝试访问该端点。

@api.route("/protected")
class Protected(Resource):
    # @jwt_required
    def get(self):
        username = get_jwt_identity()
        print(username)
        return {"hello": "from {}".format(username)}, 200

到目前为止,一切都很好,然后我向端点发出了正常的获取请求,我得到了:

{
    "hello": "from None"
}

当我注释掉装饰器时,我得到了:

{
  "msg": "Missing cookie \"access_token_cookie\""
}

当我拥有普通的JWT时,我将通过邮递员在标头内的“授权”选项卡中传递它。这些cookie如何实现?

0 个答案:

没有答案
相关问题
最新问题