I'm setting up OAuth2 in my app using the Authorization Grant flow.(我正在使用“授权授予”流程在我的应用中设置OAuth2。)
I am also using create-react-app, such that I'm developing on localhost:3000 , which proxies to my app server backend on localhost:8080 .(我也在使用create-react-app,这样我就在localhost:3000上进行开发,它代理了我在localhost:8080上的应用程序服务器后端。)
Everything mostly works, except for the fact that I cannot get the CSRF token working.(除了我无法使CSRF令牌正常工作之外,其他所有东西都可以正常工作。)
I realized it was because I was having the OAuth2 Redirect URL set to the backend, and as a result it was not sending the private encrypted csrf_state cookie along, because the request was originating from google instead of my app.(我意识到这是因为我将OAuth2重定向URL设置为后端,因此它没有发送私有加密的csrf_state cookie,因为该请求源自Google而不是我的应用。)
I don't think this will be a problem in production, because there won't be a proxy server.(我认为这不会在生产中出现问题,因为不会有代理服务器。) Instead, both the backend and frontend will be served from the same mydomain.com(相反,后端和前端都将从同一个mydomain.com)
So, should I just not have this work in development?(那么,我是否应该不从事这项工作呢?) Or should I have the OAuth2 redirect URL set to my frontend ( localhost:3000 ), which then automatically redirects to the backend ( localhost:8080 ), such that it can send the private encrypted CSRF token along?(还是我应该将OAuth2重定向URL设置为我的前端( localhost:3000 ),然后自动将其重定向到后端( localhost:8080 ),以便它可以一起发送私有的加密CSRF令牌?)
Or is there a way to have the cookie originate from google, without having the multiple redirects?(还是有一种方法可以让Cookie源自Google,而无需进行多次重定向?) Or should I just not bother with CSRF, since SameSite has such large support amongst browsers now?(还是因为SameSite现在在浏览器中有如此大的支持,我是否应该SameSite会CSRF?)
ask by John Smith translate from so
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
