Symfony 3 + JWT +角度2 +认证(选项方法)

Question

我只是尝试使用JWT登录创建我的sf3 api,但我在验证方面遇到了一些麻烦.所以这是我的配置和一些我意识到的测试.

security.yml:

security:
    firewalls:
        login:
        pattern:    ^/api/auth
        stateless:  true
        anonymous:  true
        form_login:
            check_path:                 /api/auth/login-check
            success_handler:            lexik_jwt_authentication.handler.authentication_success
            failure_handler:            lexik_jwt_authentication.handler.authentication_failure
            require_previous_session:   false

        api:
            pattern:   ^/api
            stateless: true
            lexik_jwt: ~
    access_control:
        - { path: ^/api/auth, roles: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/api,      roles: IS_AUTHENTICATED_FULLY }

routing.yml中:

auth:
    path:       /auth
    defaults:   { _controller: api.controller.auth:postAction }
    methods:    [OPTIONS, POST]

api_login_check:
    path:       /auth/login-check

config.yml:

nelmio_cors:
    paths:
        '^/api/':
            allow_origin: ['*']
            allow_headers: ['*']
            allow_methods: ['POST', 'PUT', 'GET', 'DELETE', 'OPTIONS']
            max_age: 3600

当我调试路由时,我收到此输出:

$ php bin/console debug:router
----------------------------------- ------------------ -------- ------ -----------------------------------
 Name                                Method             Scheme   Host   Path
----------------------------------- ------------------ -------- ------ -----------------------------------
....
api_homepage                        ANY                ANY      ANY    /api/
auth                                OPTIONS|POST       ANY      ANY    /api/auth
api_login_check                     ANY                ANY      ANY    /api/auth/login-check
....

到目前为止一直很好,现在问题来了.

我设法测试身份验证的返回

$ curl -v -X POST http://api.local/api/auth/login-check -d _username=user -d _password=user
Note: Unnecessary use of -X or --request, POST is already inferred.
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to api.local (127.0.0.1) port 80 (#0)
> POST /api/auth/login-check HTTP/1.1
> Host: api.local
> User-Agent: curl/7.51.0
> Accept: */*
> Content-Length: 33
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 33 out of 33 bytes
< HTTP/1.1 200 OK
< Server: nginx/1.10.3
< Content-Type: application/json
< Transfer-Encoding: chunked
< Connection: keep-alive
< X-Powered-By: PHP/7.1.3
< Set-Cookie: PHPSESSID=c4o6kuelf914gjnq09m38ec0c7; path=/; HttpOnly
< Cache-Control: no-cache, private
< Date: Fri, 12 May 2017 16:37:23 GMT
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Methods: GET, POST, OPTIONS, DELETE, PUT
< Access-Control-Allow-Credentials: true
< Access-Control-Allow-Headers: User-Agent,Keep-Alive,Content-Type,Access-Control-Allow-Headers
<
* Curl_http_done: called premature == 0
* Connection #0 to host api.local left intact
{"token":"b2xlc9.......DW6uAwx4"}

好的,它的工作!

当我在浏览器中尝试相同的请求时,我在OPTIONS方法上收到404,所以我尝试使用curl OPTIONS请求重新创建请求(实际上我不知道它是否有任何意义,但无论如何我都试过了,其中响应:

$ curl -v -X OPTIONS http://api.local/api/auth/login-check -d _username=user -d _password=user
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to api.local (127.0.0.1) port 80 (#0)
> OPTIONS /api/auth/login-check HTTP/1.1
> Host: api.local
> User-Agent: curl/7.51.0
> Accept: */*
> Content-Length: 33
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 33 out of 33 bytes
< HTTP/1.1 404 Not Found
< Server: nginx/1.10.3
< Content-Type: application/json
< Transfer-Encoding: chunked
< Connection: keep-alive
< X-Powered-By: PHP/7.1.3
< Cache-Control: no-cache, private
< Date: Fri, 12 May 2017 16:35:49 GMT
<
{"error":{"code":404,"message":"Not Found"}}
* Curl_http_done: called premature == 0
* Connection #0 to host api.local left intact

我的理解是api找不到OPTIONS方法的路径,我甚至尝试将方法:[OPTIONS,POST]添加到api_login_check路由但输出相同.

使用和不使用nelmioCorsBundle进行测试,输出相同.

我有点迷失在这里,任何人都可以看到我做错了什么？

谢谢

Answer 1

您的身份验证路由是routing.yml 上的/oauth，但您在示例中使用/api/auth。我认为你的配置只有一点点错误。

但你真正的问题是preflight，浏览器在请求之前执行此操作，这是你的身份验证在浏览器上失败并与 CURL 一起使用的原因。

您的应用程序应该响应路由的 OPTIONS 请求，并告诉浏览器允许哪些方法或标头继续，并且为了实现此NelmioCorsBundle是最好的。

您需要覆盖所有路由，您的配置仅匹配 /api 路由和您的登录名，尝试像这样的nelmio_cors 配置。

nelmio_cors:
    defaults:
        allow_credentials: false
        allow_origin: []
        allow_headers: []
        allow_methods: []
        expose_headers: []
        max_age: 0
        hosts: []
        origin_regex: false
    paths:
        '^/':
            allow_origin: ['*']
            allow_headers: ['accept', 'authorization', 'content-type']
            allow_methods: ['OPTIONS', 'POST', 'PUT', 'PATCH', 'GET', 'DELETE']
            max_age: 3600