0

我的服务器是在 localhost:8080 上使用 Fiber (golang) 和 Fiber-Session 中间件构建的。React App 在 localhost:3000 上运行。运行https和 cookie 设置都是“SameSite=None”、“Secure”和“HttpOnly”。

我试图做的是:

  1. 登录请求 ( POST /users/:userID/token) 和session_idCookie 中设置的服务器。

发送请求的代码是:

await fetch('https://localhost:8080/api/v2/users/616637bc3b7adc6e86230277/token', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({
    password: '123412341234',
  })
})

响应状态为 200,响应值正常。

我认为cookie是自动保存的,所以我没有对响应对象做任何事情来保存cookie。

从服务器,响应得到:

HTTP/1.1 200 OK
Date: Wed, 13 Oct 2021 03:14:10 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 17
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Vary: Origin
Access-Control-Allow-Origin: https://localhost:3000
Access-Control-Allow-Credentials: true
X-Request-Id: 55978af0-1eb3-4175-bad6-6ada68e6b8d5
Set-Cookie: session_id=9a69d523-98d2-4101-b81f-a4f732f517bc; max-age=86400; path=/; HttpOnly; secure; SameSite=None

我认为服务器的响应非常好。

  1. 使用会话 cookie 请求从服务器获取用户信息。(这里失败)

发送请求的代码是:

await fetch('https://localhost:8080/api/v2/users/616637bc3b7adc6e86230277', {
  method: 'GET',
  credentials: 'include'
})

发送到服务器的请求是:

GET /api/v2/users/616637bc3b7adc6e86230277 HTTP/1.1
Host: localhost:8080
Connection: keep-alive
sec-ch-ua: "Chromium";v="94", "Google Chrome";v="94", ";Not A Brand";v="99"
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36
sec-ch-ua-platform: "macOS"
Accept: */*
Origin: https://localhost:3000
Sec-Fetch-Site: same-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://localhost:3000/
Accept-Encoding: gzip, deflate, br
Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: _ga=GA1.1.1128008882.1631252747

在“Cookie”部分,只有_gacookie,没有session_idcookie,但我认为它没有显示,因为session_idcookie 是安全的和 httpOnly cookie。

服务器的(失败)响应是:

HTTP/1.1 401 Unauthorized
Date: Wed, 13 Oct 2021 03:14:11 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 147
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Vary: Origin
Access-Control-Allow-Origin: https://localhost:3000
Access-Control-Allow-Credentials: true
X-Request-Id: 56978af0-1eb3-4175-bad6-6ada68e6b8d5

发生 401 错误是因为服务器无法从session_id密钥中找到任何 cookie。

在服务器中:

import (
    "fmt"

    "github.com/gofiber/fiber/v2"
    "github.com/gofiber/fiber/v2/middleware/session"
    "github.com/gofiber/storage/mongodb"
    ...
)

var store *session.Store

func InitSessionStore() {
...
    store = session.New(session.Config{
        Storage:        storage,
        CookieHTTPOnly: true,
        CookieSecure:   true,
        CookieSameSite: "None",
    })
}

// Set session id
func SetUserIDInSession(userID string) error {
...
    sess, err := store.Get(c)
    if err != nil {
        return nil, errors.WithStack(err)
    }

    sess.Set("user", userID)

    if err := sess.Save(); err != nil {
        return errors.WithStack(err)
    }

    return nil
}

// Get user id from session
func GetUserIDFromSession(c *fiber.Ctx) (string, error) {
    ...
    sess, err := store.Get(c)
    if err != nil {
        return nil, errors.WithStack(err)
    }

    user := sess.Get("user") // user is nil

    ...
}

我的代码有问题吗?我找不到任何可疑的位置。请帮我。谢谢。

4

0 回答 0