这是 REST API Laravel 服务器的 完全可重现 docker 镜像:
FROM php
RUN apt-get update
RUN apt-get install zip -y
COPY --from=composer:latest /usr/bin/composer /usr/local/bin/composer
RUN composer create-project laravel/laravel frontend
WORKDIR frontend
COPY web.php web.php
RUN mv web.php routes
EXPOSE 8000
CMD [ "php", "artisan", "serve", "--host", "0.0.0.0" ]
我唯一编辑的是单个端点(
web.php<?php
use Illuminate\Support\Facades\Route;
Route::get('/', function () {
return csrf_token();
});
Route::post('/', function (Request $request) {
if ($request->hasFile('source' )) { return ">> GOOD ! <<"; }
if ($request->hasFile('input.json')) { return ">> GOOD ! <<"; }
$x = count($_FILES);
return "DD >> $x << DD";
});
我构建并运行 docker 镜像如下:
$ docker build --tag host.translator.php --file Dockerfile .
$ docker run -p 8008:8000 -d -t --name translator.php host.translator.php
$ Set-Variable -Name X -Value (curl.exe -X GET -F "[email protected]" http://127.0.0.1:8008/)
# X holds the token:
# echo $X
# U263lUv3dz9PH7ySm3GmgUUjHjjWm78cqofODUmh
但是当我尝试使用该令牌时它不起作用:
$ curl.exe --header "X-CSRFToken:$X" -X POST -F "[email protected]" http://127.0.0.1:8008/ | Select-String "<title>Page Expired"
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 6851 0 6609 100 242 80486 2947 --:--:-- --:--:-- --:--:-- 83548
<title>Page Expired</title>
非常感谢任何帮助 - 谢谢!
编辑:
#
# used a new variable Z - just to be sure ...
#
$ Set-Variable -Name Z -Value (curl.exe -b cookiejar -X GET -F "[email protected]" http://127.0.0.1:8008/)
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 282 0 40 100 242 527 3194 --:--:-- --:--:-- --:--:-- 3760
$ echo $Z # this looks good, right ?
aHvU5WOaGs9qxOIzgdYb90TJUKPDgDaNhYjQNALW
#
$ type .\cookiejar # this looks ... hmmm ... good (I think ?)
# Netscape HTTP Cookie File
# https://curl.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.
#HttpOnly_127.0.0.1 FALSE / FALSE 1711103819 laravel_session eyJpdiI6IllsOW9KdlVzT1ZPcUJDOUdQRnUyZHc9PSIsInZhbHVlIjoiekpING13WFRaaDRLUHBUcVpNM0VjblBwVjlXM1VrSU1uYUF3dk43d0J6c0RvSDJ5UWZOU3lla1lKVjBNRnNVTXJOaTNMdmt3dlIvdW5HZDk1ODZUb0gxVWMySHh5cXBWeG5XbjVMQlpMQ2xoMzM0ODROQ1FGQ0NMQzFNaHNQMXMiLCJtYWMiOiI0MTg3ZTM0NTlmNWMzZGUyZDY3YzI2YWViYzc2MDZhMjAyMjA2NzE5YmRmYTRmYWRmYzQxODIzYmVlOThlZTkxIiwidGFnIjoiIn0%3D
#
# Now let's cross our fingers extra strong !
#
$ curl.exe -c cookiejar --header "X-CSRFToken:$Z" -X POST -F "[email protected]" http://127.0.0.1:8008/ | Select-String "<title>Pa
ge Expired"
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 6851 0 6609 100 242 85705 3138 --:--:-- --:--:-- --:--:-- 87833
242 83137 3044 --:--:- <title>Page Expired</title>- --
:--:-- --:--:-- 85637
参见
https://laravel.com/docs/11.x/csrfX-CSRF-TOKEN标头(
不是
X-CSRFToken,因为您输入错误)并传递正确的 CSRF 令牌。CSRF token 的机制如下:
该站点允许您运行一些入口点(例如一些 GET 请求),而无需传递 CSRF
您可以从 CSRF 保护中排除 URL,
但要小心,如果可能的话,不要降低您的安全标准 via
->withMiddleware(function (Middleware $middleware) {
$middleware->validateCsrfTokens(except: [
'stripe/*',
'http://example.com/foo/bar',
'http://example.com/foo/*',
]);
})
然后该请求将被正确处理。如果它是一个入口点(例如为 SSO 发布 JWT),那么允许该特定端点在没有 CSRF 的情况下运行是有意义的,因为无论如何它都会对用户进行身份验证。否则,您将始终需要获取最新的 CSRF 令牌并将其添加到请求的标头中。