git-market/axios-axios
1
0
Fork 0
mirror of https://github.com/axios/axios.git synced 2026-04-11 14:21:59 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

feat(withXSRFToken): added withXSRFToken option as a workaround to achieve the old withCredentials behavior; (#6046)

Browse Source
This commit is contained in:
Dmitriy Mozgovoy 2023-11-14 15:38:25 +02:00 committed by GitHub
parent 7009715369
commit cff996779b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 110 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
README.md
View File

@ -452,6 +452,9 @@ These are the available config options for making requests. Only the `url` is re
// `xsrfHeaderName` is the name of the http header that carries the xsrf token value
xsrfHeaderName: 'X-XSRF-TOKEN', // default
// `undefined` (default) - set XSRF header only for the same origin requests
withXSRFToken: boolean | undefined | ((config: InternalAxiosRequestConfig) => boolean | undefined),
// `onUploadProgress` allows handling of progress events for uploads
// browser & node.js

1
index.d.cts
View File

@ -414,6 +414,7 @@ declare namespace axios {
family?: AddressFamily;
lookup?: ((hostname: string, options: object, cb: (err: Error | null, address: LookupAddress | LookupAddress[], family?: AddressFamily) => void) => void) |
((hostname: string, options: object) => Promise<[address: LookupAddressEntry | LookupAddressEntry[], family?: AddressFamily] | LookupAddress>);
withXSRFToken?: boolean | ((config: InternalAxiosRequestConfig) => boolean | undefined);
}
// Alias

1
index.d.ts vendored
View File

@ -355,6 +355,7 @@ export interface AxiosRequestConfig<D = any> {
family?: AddressFamily;
lookup?: ((hostname: string, options: object, cb: (err: Error | null, address: LookupAddress | LookupAddress[], family?: AddressFamily) => void) => void) |
((hostname: string, options: object) => Promise<[address: LookupAddressEntry | LookupAddressEntry[], family?: AddressFamily] | LookupAddress>);
withXSRFToken?: boolean | ((config: InternalAxiosRequestConfig) => boolean | undefined);
}
// Alias

17
lib/adapters/xhr.js
View File

@ -49,7 +49,7 @@ export default isXHRAdapterSupported && function (config) {
return new Promise(function dispatchXhrRequest(resolve, reject) {
let requestData = config.data;
const requestHeaders = AxiosHeaders.from(config.headers).normalize();
const responseType = config.responseType;
let {responseType, withXSRFToken} = config;
let onCanceled;
function done() {
if (config.cancelToken) {
@ -185,13 +185,16 @@ export default isXHRAdapterSupported && function (config) {
// Add xsrf header
// This is only done if running in a standard browser environment.
// Specifically not if we're in a web worker, or react-native.
if (platform.hasStandardBrowserEnv) {
// Add xsrf header
// regarding CVE-2023-45857 config.withCredentials condition was removed temporarily
const xsrfValue = isURLSameOrigin(fullPath) && config.xsrfCookieName && cookies.read(config.xsrfCookieName);
if(platform.hasStandardBrowserEnv) {
withXSRFToken && utils.isFunction(withXSRFToken) && (withXSRFToken = withXSRFToken(config));
if (xsrfValue) {
requestHeaders.set(config.xsrfHeaderName, xsrfValue);
if (withXSRFToken || (withXSRFToken !== false && isURLSameOrigin(fullPath))) {
// Add xsrf header
const xsrfValue = config.xsrfHeaderName && config.xsrfCookieName && cookies.read(config.xsrfCookieName);
if (xsrfValue) {
requestHeaders.set(config.xsrfHeaderName, xsrfValue);
}
}
}

1
lib/core/mergeConfig.js
View File

@ -75,6 +75,7 @@ export default function mergeConfig(config1, config2) {
timeout: defaultToConfig2,
timeoutMessage: defaultToConfig2,
withCredentials: defaultToConfig2,
withXSRFToken: defaultToConfig2,
adapter: defaultToConfig2,
responseType: defaultToConfig2,
xsrfCookieName: defaultToConfig2,

68
lib/helpers/cookies.js
View File

@ -1,52 +1,42 @@
'use strict';
import utils from './../utils.js';
import platform from '../platform/index.js';
export default platform.hasStandardBrowserEnv ?
// Standard browser envs support document.cookie
(function standardBrowserEnv() {
return {
write: function write(name, value, expires, path, domain, secure) {
const cookie = [];
cookie.push(name + '=' + encodeURIComponent(value));
// Standard browser envs support document.cookie
{
write(name, value, expires, path, domain, secure) {
const cookie = [name + '=' + encodeURIComponent(value)];
if (utils.isNumber(expires)) {
cookie.push('expires=' + new Date(expires).toGMTString());
}
utils.isNumber(expires) && cookie.push('expires=' + new Date(expires).toGMTString());
if (utils.isString(path)) {
cookie.push('path=' + path);
}
utils.isString(path) && cookie.push('path=' + path);
if (utils.isString(domain)) {
cookie.push('domain=' + domain);
}
utils.isString(domain) && cookie.push('domain=' + domain);
if (secure === true) {
cookie.push('secure');
}
secure === true && cookie.push('secure');
document.cookie = cookie.join('; ');
},
document.cookie = cookie.join('; ');
},
read: function read(name) {
const match = document.cookie.match(new RegExp('(^|;\\s*)(' + name + ')=([^;]*)'));
return (match ? decodeURIComponent(match[3]) : null);
},
read(name) {
const match = document.cookie.match(new RegExp('(^|;\\s*)(' + name + ')=([^;]*)'));
return (match ? decodeURIComponent(match[3]) : null);
},
remove: function remove(name) {
this.write(name, '', Date.now() - 86400000);
}
};
})() :
remove(name) {
this.write(name, '', Date.now() - 86400000);
}
}
:
// Non-standard browser env (web workers, react-native) lack needed support.
{
write() {},
read() {
return null;
},
remove() {}
};
// Non standard browser env (web workers, react-native) lack needed support.
(function nonStandardBrowserEnv() {
return {
write: function write() {},
read: function read() { return null; },
remove: function remove() {}
};
})();

2
lib/helpers/isURLSameOrigin.js
View File

@ -13,7 +13,7 @@ export default platform.hasStandardBrowserEnv ?
let originURL;
/**
* Parse a URL to discover it's components
* Parse a URL to discover its components
*
* @param {String} url The URL to be parsed
* @returns {Object}

64
test/specs/xsrf.spec.js
View File

@ -79,4 +79,68 @@ describe('xsrf', function () {
done();
});
});
describe('withXSRFToken option', function(){
it('should set xsrf header for cross origin when withXSRFToken = true', function (done) {
const token = '12345';
document.cookie = axios.defaults.xsrfCookieName + '=' + token;
axios('http://example.com/', {
withXSRFToken: true
});
getAjaxRequest().then(function (request) {
expect(request.requestHeaders[axios.defaults.xsrfHeaderName]).toEqual(token);
done();
});
});
it('should not set xsrf header for the same origin when withXSRFToken = false', function (done) {
const token = '12345';
document.cookie = axios.defaults.xsrfCookieName + '=' + token;
axios('/foo', {
withXSRFToken: false
});
getAjaxRequest().then(function (request) {
expect(request.requestHeaders[axios.defaults.xsrfHeaderName]).toEqual(undefined);
done();
});
});
it('should not set xsrf header for the same origin when withXSRFToken = false', function (done) {
const token = '12345';
document.cookie = axios.defaults.xsrfCookieName + '=' + token;
axios('/foo', {
withXSRFToken: false
});
getAjaxRequest().then(function (request) {
expect(request.requestHeaders[axios.defaults.xsrfHeaderName]).toEqual(undefined);
done();
});
});
it('should support function resolver', (done) => {
const token = '12345';
document.cookie = axios.defaults.xsrfCookieName + '=' + token;
axios('/foo', {
withXSRFToken: (config) => config.userFlag === 'yes',
userFlag: 'yes'
});
getAjaxRequest().then(function (request) {
expect(request.requestHeaders[axios.defaults.xsrfHeaderName]).toEqual(token);
done();
});
});
});
});