我在 Rails 4.2 中使用 websockets 与 Faye 实现了实时聊天
现在,我可以使用 curl 将消息发布到频道,例如:
curl http://localhost:3000/faye -d message={"channel":"/mychannel", "data": "my message"}'
为了防止这种情况,我按照指南 http://faye.jcoglan.com/security/csrf.html
但是客户端总是收到401错误
[,…]
0: {id: "8l", channel: "/meta/handshake", error: "401::Access denied", successful: false, version: "1.0",…}
advice: {reconnect: "handshake"}
channel: "/meta/handshake"
error: "401::Access denied"
id: "8l"
successful: false
supportedConnectionTypes: ["long-polling", "cross-origin-long-polling", "callback-polling", "websocket", "eventsource",…]
version: "1.0"
我还调试扩展CsrfProtection令牌变量。它们总是不同的。
Started POST "/faye" for 127.0.0.1 at 2016-02-20 02:53:59 +0600
session_token: "nICoUB0sDiwmNqbRpr1kUM7LtyBybCiddThnZceU7UI="
message_token: "PO5gD5tPwVMZifrUCsk8xnJXUIRZkhOU/vQ+ujbmQAugbshfhmPPfz+/XAWsdFiWvJznpCv+OwmLzFnf8XKtSQ=="
它们为何不同,如何实施CSRF保护?
Rails 代码中的方法可能会有所帮助: 令牌验证
想法:在页面上你有 Base64 编码值,你需要对其进行解码