我正在尝试进行经过身份验证的帖子请求,我需要CSRF.当我登录时,_csrf_token
由于某种原因它不会生成:
2.0.0p247 :126 > app.post '/community_members/login', {"refinery_user[login]"=>'chloe', 'refinery_user[password]'=>'test'} => 302 2.0.0p247 :127 > app.session => {"warden.user.refinery_user.key"=>[[56], "$2a$10$gr/rTcQfuXnes1Zml3qOPu"], "session_id"=>"f77d89cef9ff1710890f575b479bb690"}
我app.session[:_csrf_token] ||= SecureRandom.base64(32)
在登录前尝试过,但总是被删除.我还尝试先获取登录表单,但_csrf_token
仍未设置.
2.0.0p247 :133 > app.get '/community_members/sign_in' 2.0.0p247 :134 > app.response # authenticity_token is burried in the raw HTML 2.0.0p247 :136 > app.post '/community_members/login', {"refinery_user[login]"=>'chloe', 'refinery_user[password]'=>'test'} 2.0.0p247 :137 > app.session => {"warden.user.refinery_user.key"=>[[56], "$2a$10$gr/rTcQfuXnes1Zml3qOPu"], "session_id"=>"c2c564229e55b81ca788788558d7d11a"}
如何手动生成令牌以传递给帖子请求?
哦,好吧,我想我需要在登录表单中提交authenticity_token(在获取登录表单后在会话中设置),然后将其永久地放入会话中!这有效:
app.post '/ community_members /登录',{ 'authenticity_token'=> 'GfT5GtcUmYQ927oNQmh2MR0NKQucGSx8mtMg3Ph9kXw =' "refinery_user [登录]"=> '批发', 'refinery_user [口令]'=> '测试'}
以下是一个完整的示例:https://stackoverflow.com/a/23899701/148844
我觉得使用Nokogiri解析响应有点沉重,所以我写了一个简单的正则表达式来将真实性标记从响应中拉出来.
app.get '/api_with_form' authenticity_token = app.response.body.match(/<[^<]+authenticity_token[^>]+value="([^"]+)"[^>]+>/)[1]
我正在使用它登录
app.get '/users/sign_in' authenticity_token = app.response.body.match(/<[^<]+authenticity_token[^>]+value="([^"]+)"[^>]+>/)[1] app.post '/users/sign_in', 'user[email]' => 'my_username', 'user[password]' => 'my_password', authenticity_token: authenticity_token