I'm setting up OAuth2 in my app using the Authorization Grant flow.
(我正在使用“授权授予”流程在我的应用中设置OAuth2。)
I am also using create-react-app, such that I'm developing on localhost:3000
, which proxies to my app server backend on localhost:8080
. (我也在使用create-react-app,这样我就在localhost:3000
上进行开发,它代理了我在localhost:8080
上的应用程序服务器后端。)
Everything mostly works, except for the fact that I cannot get the CSRF
token working.
(除了我无法使CSRF
令牌正常工作之外,其他所有东西都可以正常工作。)
I realized it was because I was having the OAuth2 Redirect URL set to the backend, and as a result it was not sending the private encrypted csrf_state
cookie along, because the request was originating from google instead of my app.
(我意识到这是因为我将OAuth2重定向URL设置为后端,因此它没有发送私有加密的csrf_state
cookie,因为该请求源自Google而不是我的应用。)
I don't think this will be a problem in production, because there won't be a proxy server.
(我认为这不会在生产中出现问题,因为不会有代理服务器。)
Instead, both the backend and frontend will be served from the same mydomain.com
(相反,后端和前端都将从同一个mydomain.com
)
So, should I just not have this work in development?
(那么,我是否应该不从事这项工作呢?)
Or should I have the OAuth2 redirect URL set to my frontend ( localhost:3000
), which then automatically redirects to the backend ( localhost:8080
), such that it can send the private encrypted CSRF token along? (还是我应该将OAuth2重定向URL设置为我的前端( localhost:3000
),然后自动将其重定向到后端( localhost:8080
),以便它可以一起发送私有的加密CSRF令牌?)
Or is there a way to have the cookie originate from google, without having the multiple redirects?
(还是有一种方法可以让Cookie源自Google,而无需进行多次重定向?)
Or should I just not bother with CSRF, since SameSite
has such large support amongst browsers now? (还是因为SameSite
现在在浏览器中有如此大的支持,我是否应该SameSite
会CSRF?)
ask by John Smith translate from so 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…