egg學習筆記(4)--安全機制csrf
阿新 • • 發佈:2018-12-10
簡介
CSRF 攻擊:偽造使用者請求向網站發起惡意請求。
目錄結構
controller
//controller/postsafe.js
'use strict'; const Controller = require('egg').Controller; class PostsafeController extends Controller { async index() { await this.ctx.render('postsafe') } async post(){ let bodydata = this.ctx.request.body; console.log(bodydata) } } module.exports = PostsafeController;
router
//router.js
router.get('/postsafe', controller.postsafe.index);
router.post('/postsafe', controller.postsafe.post);
middleware
//middleware/auth.js
module.exports = (options,app) => {
return async function auth(ctx,next){
ctx.state.csrf = ctx.csrf;
await next()
}
}
//config/config.default.js
config.middleware = ['printdate','forbidip','auth'];
view
//view/postsafe.html
<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta http-equiv="X-UA-Compatible" content="ie=edge"> <title>Document</title> </head> <body> <form action="/postsafe?_csrf=<%= csrf %>" method="POST"> <!-- <input type="hidden" name="_csrf" value="<%= csrf %>"> --> <div> <span>使用者名稱</span> <input type="text" name="username"> </div> <div> <span>密碼</span> <input type="password" name="password"> </div> <button type="submit">提交</button> </form> </body> </html>
頁面效果
去掉csrf