Cookie 很快就会被拒绝,因为它是外来的并且不具有“Partitioned”属性。科尔斯设置

问题描述 投票:0回答:1

我有一个关于如何解决这个问题的问题“Cookie 很快就会被拒绝,因为它是外来的并且没有“分区”属性。cors 设置”。

现在由于部署服务不同,我在不同的域上有前端和后端。 所以我在后端使用烧瓶:

cors设置

CORS(app, resources={r"/*": {"origins": "*"}}, supports_credentials=True)

我还有2个功能,例如注册和注销:

@auth_bp.post('/register')
def register_user():

    data = request.get_json()

    errors = schema.validate(data)
    if errors:
        return jsonify({'error': errors}), 400

    user = User.get_user_by_email(email=data.get('email'))

    if user is not None:
        return jsonify({'error': 'User already exists'}), 409

    new_user = User(username=data.get('username'), email=data.get('email'))
    new_user.set_password(password=data.get('password'))
    new_user.save()

    access_token, refresh_token = create_access_and_refresh_tokens(new_user)

    decoded_access_token = decode_token(access_token)
    access_token_expires_in_seconds = decoded_access_token['exp'] - decoded_access_token['iat']
    
    decoded_refresh_token = decode_token(refresh_token)
    refresh_token_expires_in_seconds = decoded_refresh_token['exp'] - decoded_refresh_token['iat']
    
    response = make_response(
        jsonify({
        "message": "User created and logged in successfully",
        "tokens": {
            "access_token": access_token,
            "access_token_expires_time (seconds)": access_token_expires_in_seconds,
            "refresh_token_expires_time (seconds)": refresh_token_expires_in_seconds,
        }
    }), 201)
    
    response.set_cookie(
        'refreshToken',
        refresh_token,
        httponly=True,
        secure=True,
        samesite='None',
        path="/"
    )
    
    return response

@auth_bp.get('/logout')
@jwt_required(verify_type=False)
def logout_user():
    identity = get_jwt_identity()
    user = User.get_user_by_email(email=identity)

    jwt = get_jwt()
    jti = jwt['jti']

    token_type = jwt['type']

    token_b = TokenBlockList(jti=jti)
    token_b.save(user_id=user.id)

    response = make_response(jsonify({'message': f'{token_type} token revoked successfully'}), 200)
    response.delete_cookie(key='refreshToken', httponly=True, secure=True, samesite='None', path="/")

    return response
python flask cors flask-cors
1个回答
0
投票

我最近也开始看到从 iframe 内的其他页面打开的 Flask 页面的警告。正如 @Eduardo 提到的,浏览器现在正在调整 cookie 的

Partitioned
属性。请参阅此处此处的一些解释。但是 Flask 的响应类不会实现它,直到我相信 v3.1.0 或其他东西。

我的解决方案是手动创建并添加 cookie 标头。

所以,在

make_response(...)
之后,当你添加cookie时,而不是:

response.set_cookie('refreshToken', refresh_token, httponly=True, secure=True, samesite='None', path="/")

你可以这样做:

response.headers.add('Set-Cookie', f'refreshToken={refresh_token}; HttpOnly; SameSite=None; Secure; Path=/; Partitioned;')

当您删除 cookie 时,而不是:

response.delete_cookie(key='refreshToken', httponly=True, secure=True, samesite='None', path="/")

你可以这样做:

resp.headers.add('Set-Cookie', 'token=; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Max-Age=0; HttpOnly; SameSite=None; Secure; Path=/; Partitioned;')

希望这对您和/或其他人有帮助。

© www.soinside.com 2019 - 2024. All rights reserved.