第七色在线视频,2021少妇久久久久久久久久,亚洲欧洲精品成人久久av18,亚洲国产精品特色大片观看完整版,孙宇晨将参加特朗普的晚宴

為了賬號(hào)安全,請(qǐng)及時(shí)綁定郵箱和手機(jī)立即綁定
已解決430363個(gè)問(wèn)題,去搜搜看,總會(huì)有你想問(wèn)的

ory kratos csrf cookie 未在 nginx ssl 后面發(fā)送

ory kratos csrf cookie 未在 nginx ssl 后面發(fā)送

Go
肥皂起泡泡 2022-09-05 09:15:17
我在docker中使用Go和ory kratos,在localhost上的我的機(jī)器上一切正常。身份驗(yàn)證工作,所有cookie都已發(fā)送和設(shè)置,我可以從SPA調(diào)用我的后端并進(jìn)行身份驗(yàn)證。問(wèn)題是,在后面的實(shí)時(shí)服務(wù)器上,顯然沒(méi)有從我的js客戶端發(fā)送一個(gè)cookie(僅發(fā)送而不是cookie),并且它在功能中失敗,cookie丟失錯(cuò)誤。nginxsslory_kratos_sessionxxx_csrf_token它使用官方的go sdk:kratos-client-goGo 身份驗(yàn)證必需的中間件func ExtractKratosCookiesFromRequest(r *http.Request) (csrf, session *http.Cookie, cookieHeader string) {    cookieHeader = r.Header.Get("Cookie")    cookies := r.Cookies()    for _, c := range cookies {        if c != nil {            if ok := strings.HasSuffix(c.Name, string("csrf_token")); ok {                csrf = c            }        }    }    sessionCookie, _ := r.Cookie("ory_kratos_session")    if sessionCookie != nil {        session = sessionCookie    }    return}func AuthRequired(w http.ResponseWriter, r *http.Request) error {    csrfCookie, sessionCookie, cookieHeader := ExtractKratosCookiesFromRequest(r)    if (csrfCookie == nil || sessionCookie == nil) || (csrfCookie.Value == "" || sessionCookie.Value == "") {        return errors.New("Cookie missing")    }    req := kratos.PublicApi.Whoami(r.Context()).Cookie(cookieHeader)    kratosSession, _, err := req.Execute()    if err != nil {        return errors.New("Whoami error")    }        return nil}我的 js http 客戶端有選項(xiàng):.credentials: 'include'在devtools面板中,我只看到1個(gè)cookie()在注冊(cè)/登錄后。ory_kratos_session因此,失敗的是請(qǐng)求僅發(fā)送而不是cookie(在kratos模式下工作,并且cookie在devtools面板中是可行的)ory_kratos_sessionxxx_csrf_tokenlocalhost--dev
查看完整描述

2 回答

?
慕桂英546537

TA貢獻(xiàn)1848條經(jīng)驗(yàn) 獲得超10個(gè)贊

我相信你的kratos配置不正確。該屬性應(yīng)該是請(qǐng)求源自的 url,例如 而不是您的本地主機(jī)。serve.public.base_urlhttps://example.com/kratos/http://127.0.0.1:4433

另外,只是一個(gè)建議,您的管理端點(diǎn)永遠(yuǎn)不應(yīng)該向公眾公開(kāi),您的后端服務(wù)應(yīng)該在內(nèi)部網(wǎng)絡(luò)上請(qǐng)求管理員URL(例如,在Docker內(nèi)部或localhost上)。你應(yīng)該從nginx中刪除。serve.admin.base_urlhttp://127.0.0.1:4434

nginx配置對(duì)我來(lái)說(shuō)似乎是正確的。我相信你只需要這個(gè)就可以了:

location /kratos/ {
    proxy_set_header Host $host;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_pass http://127.0.0.1:4433;
    }


查看完整回答
反對(duì) 回復(fù) 2022-09-05
?
12345678_0001

TA貢獻(xiàn)1802條經(jīng)驗(yàn) 獲得超5個(gè)贊

我確實(shí)設(shè)法解決了這個(gè)問(wèn)題,它在生產(chǎn)中沒(méi)有標(biāo)志的情況下工作正常,即使在重新啟動(dòng)服務(wù)和更改所有內(nèi)容后也不會(huì)搞砸。--dev


也許它甚至是我的反應(yīng)形式,我使用defaultValue作為csrf令牌輸入


現(xiàn)在,每當(dāng) window.location url 更改或csrf_token更改時(shí),它都應(yīng)該使用最新的值作為csrf_token


const [csrf, setCsrf] = React.useState('');


useEffect(() => {

  if (flowResponse !== null) {

    const csrfVal = flowResponse?.ui?.nodes?.find?.(n => n.attributes.name === 'csrf_token')?.attributes.value;

    setCsrf(csrfVal);

  }

}, [flowResponse, csrf]);


<input type='hidden' name='csrf_token' value={csrf} readOnly required />

最糟糕的是,它也可能是一個(gè)尾部斜杠或如此小的東西,我不確定究竟是什么原因造成的。


在這里,所有人都發(fā)布了所有適合我的配置:


可能是我以前嘗試過(guò)這個(gè)kratos網(wǎng)址 http://127.0.0.1:4433 或 http://kratos:4433,但它不起作用(即使我在這3個(gè)之間切換哈哈)


init kratos client

conf := kratos.NewConfiguration()

conf.Servers[0].URL = "https://example.com/kratos/"

kratosClient := kratos.NewAPIClient(conf)

kratos.yml

version: v0.6.2-alpha.1


dsn: postgres://test:test@postgresd:5432/test?sslmode=disable&max_conns=20&max_idle_conns=4


serve:

  public:

    base_url: https://example.com/kratos/

    cors:

      enabled: true

      debug: true

      allow_credentials: true

      options_passthrough: true

      max_age: 0

      allowed_origins:

        - https://example.com

      allowed_methods:

        - POST

        - GET

        - PUT

        - PATCH

        - DELETE

        - OPTIONS

      allowed_headers:

        - Authorization

        - Cookie

        - Origin

        - X-Session-Token

      exposed_headers:

        - Content-Type

        - Set-Cookie

  admin:

    base_url: http://127.0.0.1:4434/


selfservice:

  default_browser_return_url: https://example.com

  whitelisted_return_urls:

    - https://example.com

    - https://example.com/dashboard

    - https://example.com/auth/login

  methods:

    password:

      enabled: true

    oidc:

      enabled: false

    link:

      enabled: true

    profile:

      enabled: true

  flows:

    error:

      ui_url: https://example.com/error

    settings:

      ui_url: https://example.com/dashboard/profile

      privileged_session_max_age: 15m

    recovery:

      enabled: true

      ui_url: https://example.com/auth/recovery

      after:

        default_browser_return_url: https://example.com/auth/login

    verification:

      enabled: true

      ui_url: https://example.com/auth/verification

      after:

        default_browser_return_url: https://example.com

    logout:

      after:

        default_browser_return_url: https://example.com

    login:

      ui_url: https://example.com/auth/login

      lifespan: 10m

    registration:

      lifespan: 10m

      ui_url: https://example.com/auth/registration

      after:

        password:

          hooks:

            - hook: session

          default_browser_return_url: https://example.com/auth/login

        default_browser_return_url: https://example.com/auth/login

        oidc:

          hooks:

            - hook: session


secrets:

  cookie:

    - veRy_S3cRet_tHinG


session:

  lifespan: 24h

  cookie:

    domain: example.com

    same_site: Lax

    path: /           

// <- i didn't have path before, not sure if it changes anything but it works (before csrf cookie had path /kratos and now when it works it has path /, same as session_cookie)


hashers:

  argon2:

    parallelism: 1

    memory: 128MB

    iterations: 1

    salt_length: 16

    key_length: 16


identity:

  default_schema_url: file:///etc/config/kratos/identity.schema.json


courier:

  smtp:

    connection_uri: smtp://user:pwd@smtp.mailtrap.io:2525

    from_name: example

    from_address: office@example.cpm


watch-courier: true


log:

  level: debug

  format: text

  leak_sensitive_values: true

nginx.conf

server {

    server_name example.com www.example.com;


    location / {

       root /var/www/public;

       try_files $uri $uri/ /index.html;

    }


    location /api/ {

      proxy_pass http://127.0.0.1:3001; // backend api url

      proxy_http_version 1.1;

      proxy_set_header Host $host;

      proxy_set_header X-Real-IP $remote_addr;

      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

      proxy_set_header X-Forwarded-Port $server_port;

      proxy_set_header x-forwarded-proto $scheme;

      proxy_set_header Upgrade $http_upgrade;

      proxy_set_header Connection 'upgrade';

      proxy_cache_bypass $http_upgrade;

    }


    location /kratos/ {

      proxy_pass http://127.0.0.1:4433/;  // kratos public url

      proxy_http_version 1.1;

      proxy_set_header Host $host;

      proxy_set_header X-Real-IP $remote_addr;

      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

      proxy_set_header X-Forwarded-Port $server_port;

      proxy_set_header x-forwarded-proto $scheme;

      proxy_set_header Upgrade $http_upgrade;

      proxy_set_header Connection 'upgrade';

      proxy_cache_bypass $http_upgrade;

    }

       

    listen [::]:443 ssl ipv6only=on; # managed by Certbot

    listen 443 ssl; # managed by Certbot

    certs...

}


server {

    if ($host = www.example.com) {

        return 301 https://$host$request_uri;

    } # managed by Certbot


    if ($host = example.com) {

        return 301 https://$host$request_uri;

    } # managed by Certbot


   listen 80 default_server;

   listen [::]:80 default_server;

   server_name example.com www.example.com;

   return 404; # managed by Certbot

}


查看完整回答
反對(duì) 回復(fù) 2022-09-05
  • 2 回答
  • 0 關(guān)注
  • 201 瀏覽
慕課專欄
更多

添加回答

舉報(bào)

0/150
提交
取消
微信客服

購(gòu)課補(bǔ)貼
聯(lián)系客服咨詢優(yōu)惠詳情

 幫助反饋 APP下載

慕課網(wǎng)APP
您的移動(dòng)學(xué)習(xí)伙伴

 公眾號(hào)

掃描二維碼
關(guān)注慕課網(wǎng)微信公眾號(hào)