我有一个关于如何解决这个问题的问题“Cookie 很快就会被拒绝,因为它是外来的并且没有“分区”属性。cors 设置”。
现在由于部署服务不同,我在不同的域上有前端和后端。 所以我在后端使用烧瓶:
cors设置
CORS(app, resources={r"/*": {"origins": "*"}}, supports_credentials=True)
我还有2个功能,例如注册和注销:
@auth_bp.post('/register')
def register_user():
data = request.get_json()
errors = schema.validate(data)
if errors:
return jsonify({'error': errors}), 400
user = User.get_user_by_email(email=data.get('email'))
if user is not None:
return jsonify({'error': 'User already exists'}), 409
new_user = User(username=data.get('username'), email=data.get('email'))
new_user.set_password(password=data.get('password'))
new_user.save()
access_token, refresh_token = create_access_and_refresh_tokens(new_user)
decoded_access_token = decode_token(access_token)
access_token_expires_in_seconds = decoded_access_token['exp'] - decoded_access_token['iat']
decoded_refresh_token = decode_token(refresh_token)
refresh_token_expires_in_seconds = decoded_refresh_token['exp'] - decoded_refresh_token['iat']
response = make_response(
jsonify({
"message": "User created and logged in successfully",
"tokens": {
"access_token": access_token,
"access_token_expires_time (seconds)": access_token_expires_in_seconds,
"refresh_token_expires_time (seconds)": refresh_token_expires_in_seconds,
}
}), 201)
response.set_cookie(
'refreshToken',
refresh_token,
httponly=True,
secure=True,
samesite='None',
path="/"
)
return response
和
@auth_bp.get('/logout')
@jwt_required(verify_type=False)
def logout_user():
identity = get_jwt_identity()
user = User.get_user_by_email(email=identity)
jwt = get_jwt()
jti = jwt['jti']
token_type = jwt['type']
token_b = TokenBlockList(jti=jti)
token_b.save(user_id=user.id)
response = make_response(jsonify({'message': f'{token_type} token revoked successfully'}), 200)
response.delete_cookie(key='refreshToken', httponly=True, secure=True, samesite='None', path="/")
return response
我最近也开始看到从 iframe 内的其他页面打开的 Flask 页面的警告。正如 @Eduardo 提到的,浏览器现在正在调整 cookie 的
Partitioned
属性。请参阅此处和此处的一些解释。但是 Flask 的响应类不会实现它,直到我相信 v3.1.0 或其他东西。
我的解决方案是手动创建并添加 cookie 标头。
所以,在
make_response(...)
之后,当你添加cookie时,而不是:
response.set_cookie('refreshToken', refresh_token, httponly=True, secure=True, samesite='None', path="/")
你可以这样做:
response.headers.add('Set-Cookie', f'refreshToken={refresh_token}; HttpOnly; SameSite=None; Secure; Path=/; Partitioned;')
当您删除 cookie 时,而不是:
response.delete_cookie(key='refreshToken', httponly=True, secure=True, samesite='None', path="/")
你可以这样做:
resp.headers.add('Set-Cookie', 'token=; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Max-Age=0; HttpOnly; SameSite=None; Secure; Path=/; Partitioned;')
希望这对您和/或其他人有帮助。