如何将CSRF令牌真实性从我拥有的php应用发送到我拥有的rails应用?
我是sugarCRM实例的管理员,在heroku上有一个rails应用程序。如果在sugarCRM中添加联系人,我希望能够自动将联系人添加到rails应用程序。我在sugarCRM中编写了一个before_save logic_hook:如何将CSRF令牌真实性从我拥有的php应用发送到我拥有的rails应用?,php,ruby-on-rails,httprequest,csrf,sugarcrm,Php,Ruby On Rails,Httprequest,Csrf,Sugarcrm,我是sugarCRM实例的管理员,在heroku上有一个rails应用程序。如果在sugarCRM中添加联系人,我希望能够自动将联系人添加到rails应用程序。我在sugarCRM中编写了一个before_save logic_hook: function pushConts($bean, $event, $arguments) { $r = new HttpRequest('http://localhost:3000/contacts/', HttpReques
function pushConts($bean, $event, $arguments)
{
$r = new HttpRequest('http://localhost:3000/contacts/', HttpRequest::METH_POST);
$r->addPostFields(array('first_name' => $bean->first_name, 'last_name' => $bean->last_name, 'phone' => $bean->phone_mobile,'email' => $bean->email1, ));
//$r->addHeaders(array('X-CSRF-Token'=> 'testing-csrf-token');
try
{
echo $r->send()->getBody();
} catch(HttpException $ex){
SugarApplication::appendErrorMessage("<span style='color: red; font-size: 1.8em;'>Could Not Save Contact: Rails app is down.</span>");
$queryParams = array('module' => 'Contacts', 'action' => 'ListView');
SugarApplication::redirect('index.php?' . http_build_query($queryParams));
}
函数pushConts($bean、$event、$arguments)
{
$r=新的HttpRequest('http://localhost:3000/contacts/,HttpRequest::METH_POST);
$r->addPostFields(数组('first\u name'=>$bean->first\u name,'last\u name'=>$bean->last\u name,'phone'=>$bean->phone\u mobile,'email'=>$bean->email1,);
//$r->addHeader(数组('X-CSRF-Token'=>'测试CSRF令牌');
尝试
{
echo$r->send()->getBody();
}捕获(HttpException$ex){
SugarApplication::appendErrorMessage(“无法保存联系人:Rails应用程序已关闭”);
$queryParams=array('module'=>'Contacts','action'=>'ListView');
SugarApplication::redirect('index.php?').http_build_query($queryParams));
}
Started POST "/contacts/" for 127.0.0.1 at 2015-06-18 15:30:14 -0500
Processing by ContactsController#create as */*
Parameters: {"first_name"=>"contact", "last_name"=>"one", "phone"=>"(555) 555-5555", "email"=>"phone.support@example.us"}
Can't verify CSRF token authenticity
Completed 422 Unprocessable Entity in 1ms
ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken):
actionpack (4.2.0) lib/action_controller/metal/request_forgery_protection.rb:181:in `handle_unverified_request'
actionpack (4.2.0) lib/action_controller/metal/request_forgery_protection.rb:209:in `handle_unverified_request'
devise (3.4.1) lib/devise/controllers/helpers.rb:251:in `handle_unverified_request'
<stack trace continues>
于2015-06-18 15:30:14-0500开始发布127.0.0.1版的“/contacts/”
由ContactsController处理#创建为*/*
参数:{“名字”=>“联系人”、“姓氏”=>“一”、“电话”=>“(555)555-5555”、“电子邮件”=>“电话”。support@example.us"}
无法验证CSRF令牌的真实性
在1ms内完成422个不可处理实体
ActionController::InvalidAuthenticationToken(ActionController::InvalidAuthenticationToken):
actionpack(4.2.0)lib/action\u controller/metal/request\u forgery\u protection.rb:181:in'handle\u unverified\u request'
actionpack(4.2.0)lib/action\u controller/metal/request\u forgery\u protection.rb:209:in'handle\u unverified\u request'
designe(3.4.1)lib/designe/controllers/helpers.rb:251:in'handle\u unverified\u request'
skip\u-before\u-filter:verify\u-authenticity\u-tokenX-CSRF-Token我可以向这个逻辑钩子或rails应用程序本身(或两者)添加什么,以便在不影响(太多)安全性的情况下将Http请求从sugarCRM发送到rails应用程序?rails CSRF系统实际上并不打算跨域或服务器工作 由于Rails和SugarCRM不共享用户会话,Rails不可能验证来自SugarCRM的CSRF令牌 您最好使用
skip\u before\u过滤器将其关闭,只需:[:create]POST/api/v1/contacts# routes.rb
namespace :api do
namespace :v1 do
resources :contacts
end
end
# controllers/api/v1/api_controller
class ApiController < ActionController::Base
skip_before_filter, only: [:create]
def authenticate
# @todo implement token based auth
end
end
# controllers/api/v1/contacts_controller
class Api::V1::ContactsController
before_action :authenticate
def create
@contact = Contact.new(contact_params)
# ...
end
# ...
end
#routes.rb
名称空间:api do
名称空间:v1 do
资源:联系人
结束
结束
#控制器/api/v1/api\U控制器
类ApicControllerauthenticate\u或\u request\u with \u http\u token