docker MismatchingStateError:mismatching_state:CSRF警告!请求和响应中的状态不相等

kjthegm6  于 2023-10-16  发布在  Docker
关注(0)|答案(5)|浏览(176)

这让我非常抓狂,并阻止我进行本地开发/测试。
我有一个使用authlib的flask应用程序(仅限客户端功能)。当用户访问我的主页时,我的flask后端会将他们重定向到/login,然后再重定向到Google Auth。然后Google Auth将它们发布回我的应用的/auth端点。
几个月来,我一直遇到authlib.integrations.base_client.errors.MismatchingStateError的特殊问题:mismatching_state:CSRF警告!请求和响应不相等。这感觉就像一个cookie的问题,大多数时候,我只是打开一个新的浏览器窗口或隐身或尝试清除缓存,最终,它的工作排序。
然而,我现在在Docker容器中运行完全相同的应用程序,并且在某个阶段这是有效的。我不知道我已经改变了什么,但每当我浏览到localhost/或127.0.0.1/并通过auth过程(每次清除cookie以确保我没有自动登录),我不断重定向回localhost/auth?state=blah blah blah我遇到了这个问题:authlib.integrations.base_client.errors.MismatchingStateError:mismatching_state:CSRF警告!请求和响应不相等。
我认为我的代码的相关部分是:

  1. @app.route("/", defaults={"path": ""})
  2. @app.route("/<path:path>")
  3. def catch_all(path: str) -> Union[flask.Response, werkzeug.Response]:
  4.     if flask.session.get("user"):
  5.         return app.send_static_file("index.html")
  6.     return flask.redirect("/login")
  8. @app.route("/auth")
  9. def auth() -> Union[Tuple[str, int], werkzeug.Response]:
  10.     token = oauth.google.authorize_access_token()
  11.     user = oauth.google.parse_id_token(token)
  12.     flask.session["user"] = user
  13.     return flask.redirect("/")
  15. @app.route("/login")
  16. def login() -> werkzeug.Response:
  17.     return oauth.google.authorize_redirect(flask.url_for("auth", _external=True))

我将非常感谢任何帮助。
当我在本地运行时,我开始:

  1. export FLASK_APP=foo && flask run

当我在Docker容器中运行时,我开始:

  1. .venv/bin/gunicorn -b :8080 --workers 16 foo
docker

5条答案

按热度按时间
z8dt9xmd

z8dt9xmd1#

问题是SECRET_KEY是使用os.random填充的,这会为不同的工作进程产生不同的值,因此无法访问会话cookie。

赞(0)分享  回复(0)举报  2023-10-16
xwbd5t1u

xwbd5t1u2#

@adamcunnington这里是你如何调试它:

  1. @app.route("/auth")
  2. def auth() -> Union[Tuple[str, int], werkzeug.Response]:
  3.     # Check these two values
  4.     print(flask.request.args.get('state'), flask.session.get('_google_authlib_state_'))
  6.     token = oauth.google.authorize_access_token()
  7.     user = oauth.google.parse_id_token(token)
  8.     flask.session["user"] = user
  9.     return flask.redirect("/")

检查request.argssession中的值以了解发生了什么。
可能是因为Flask session not persistent across requests in Flask app with Gunicorn on Heroku

赞(0)分享  回复(0)举报  2023-10-16
eyh26e7m

eyh26e7m3#

如何修复问题

安装旧版本authlib,它可以很好地与fastapi和flask配合使用

  1. Authlib==0.14.3

对于Fastapi

  1. uvicorn==0.11.8
  2. starlette==0.13.6
  3. Authlib==0.14.3
  4. fastapi==0.61.1

* 如果使用本地主机进行Google身份验证,请确保获得https证书 *

安装chocolatey并设置https查看本教程

  1. https://dev.to/rajshirolkar/fastapi-over-https-for-development-on-windows-2p7d
  3. ssl_keyfile="./localhost+2-key.pem" ,
  4.  ssl_certfile= "./localhost+2.pem"

-我的代码-

  1. from typing import Optional
  2. from fastapi import FastAPI, Depends, HTTPException
  3. from fastapi.openapi.docs import get_swagger_ui_html
  4. from fastapi.openapi.utils import get_openapi
  6. from starlette.config import Config
  7. from starlette.requests import Request
  8. from starlette.middleware.sessions import SessionMiddleware
  9. from starlette.responses import HTMLResponse, JSONResponse, RedirectResponse
  11. from authlib.integrations.starlette_client import OAuth
  13. # Initialize FastAPI
  14. app = FastAPI(docs_url=None, redoc_url=None)
  15. app.add_middleware(SessionMiddleware, secret_key='!secret')
  19. @app.get('/')
  20. async def home(request: Request):
  21.     # Try to get the user
  22.     user = request.session.get('user')
  23.     if user is not None:
  24.         email = user['email']
  25.         html = (
  26.             f'<pre>Email: {email}</pre><br>'
  27.             '<a href="/docs">documentation</a><br>'
  28.             '<a href="/logout">logout</a>'
  29.         )
  30.         return HTMLResponse(html)
  32.     # Show the login link
  33.     return HTMLResponse('<a href="/login">login</a>')
  35. # --- Google OAuth ---
  37. # Initialize our OAuth instance from the client ID and client secret specified in our .env file
  38. config = Config('.env')
  39. oauth = OAuth(config)
  41. CONF_URL = 'https://accounts.google.com/.well-known/openid-configuration'
  42. oauth.register(
  43.     name='google',
  44.     server_metadata_url=CONF_URL,
  45.     client_kwargs={
  46.         'scope': 'openid email profile'
  47.     }
  48. )
  50. @app.get('/login', tags=['authentication'])  # Tag it as "authentication" for our docs
  51. async def login(request: Request):
  52.     # Redirect Google OAuth back to our application
  53.     redirect_uri = request.url_for('auth')
  54.     print(redirect_uri)
  56.     return await oauth.google.authorize_redirect(request, redirect_uri)
  58. @app.route('/auth/google')
  59. async def auth(request: Request):
  60.     # Perform Google OAuth
  61.     token = await oauth.google.authorize_access_token(request)
  62.     user = await oauth.google.parse_id_token(request, token)
  64.     # Save the user
  65.     request.session['user'] = dict(user)
  67.     return RedirectResponse(url='/')
  69. @app.get('/logout', tags=['authentication'])  # Tag it as "authentication" for our docs
  70. async def logout(request: Request):
  71.     # Remove the user
  72.     request.session.pop('user', None)
  74.     return RedirectResponse(url='/')
  76. # --- Dependencies ---
  78. # Try to get the logged in user
  79. async def get_user(request: Request) -> Optional[dict]:
  80.     user = request.session.get('user')
  81.     if user is not None:
  82.         return user
  83.     else:
  84.         raise HTTPException(status_code=403, detail='Could not validate credentials.')
  86.     return None
  88. # --- Documentation ---
  90. @app.route('/openapi.json')
  91. async def get_open_api_endpoint(request: Request, user: Optional[dict] = Depends(get_user)):  # This dependency protects our endpoint!
  92.     response = JSONResponse(get_openapi(title='FastAPI', version=1, routes=app.routes))
  93.     return response
  95. @app.get('/docs', tags=['documentation'])  # Tag it as "documentation" for our docs
  96. async def get_documentation(request: Request, user: Optional[dict] = Depends(get_user)):  # This dependency protects our endpoint!
  97.     response = get_swagger_ui_html(openapi_url='/openapi.json', title='Documentation')
  98.     return response
  100. if __name__ == '__main__':
  101.     import uvicorn
  102.     uvicorn.run(app,    port=8000,
  103.                 log_level='debug',
  104.                 ssl_keyfile="./localhost+2-key.pem" ,
  105.                 ssl_certfile= "./localhost+2.pem"
  106.                 )

.env文件

  1. GOOGLE_CLIENT_ID=""
  2. GOOGLE_CLIENT_SECRET=""

Google控制台设置

展开查看全部
赞(0)分享  回复(0)举报  2023-10-16
nfeuvbwi

nfeuvbwi4#

我在FastAPI中遇到了同样的问题。对我有用的是在-sessionMiddlewareoauth.register-位置设置相同的密钥:
In respective python module:

  1. # Set up OAuth
  2. config_data = {'GOOGLE_CLIENT_ID': GOOGLE_CLIENT_ID, 'GOOGLE_CLIENT_SECRET': GOOGLE_CLIENT_SECRET}
  3. starlette_config = Config(environ=config_data)
  4. oauth = OAuth(starlette_config)
  5. oauth.register(
  6.     name='google',
  7.     server_metadata_url='https://accounts.google.com/.well-known/openid-configuration',
  8.     client_kwargs={'scope': 'openid email profile'},
  9.     authorize_state='Oe_Ef1Y38o1KSWM2R-s-Kg',### this string should be similar to the one we put while add sessions middleware
  10. )

In main.py (or wherever you declare app = FastAPI()):

  1. app.add_middleware(SessionMiddleware, secret_key="Oe_Ef1Y38o1KSWM2R-s-Kg")
赞(0)分享  回复(0)举报  2023-10-16
ljsrvy3e

ljsrvy3e5#

我通过在浏览器中硬刷新应用程序解决了这个问题。看起来我已经在代码中更改了一些客户端ID并重新启动了应用程序,但我仍然在浏览器中从我自己的应用程序的过时版本中单击登录按钮。

赞(0)分享  回复(0)举报  2023-10-16
我来回答

相关问题

    查看更多

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备13028337号-1 大数据知识库 https://www.saoniuhuo.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com