reactjs - React SignalR - 不要在 URL 中发送承载 token

Question

我正在编写一个应用程序，该应用程序在以下方面的笔测试失败:
授权 token 正在 URL 中发送:

 https://domain/Hub?access_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Imh1Tjk1SXZQZmVocTM0R3pCRFoxR1hHaXJuTSIsImtpZCI6Imh1Tjk1SXZQZmVocTM0R3pCRFoxR1hHaXJuTSJ9.....

这在发送到使用 Azure AD 授权的集线器时会自动发生。

    constructor (hub: string) {
    this.hubName = hub;
    this.hub = new HubConnectionBuilder()
        .configureLogging(LogLevel.Critical)
        .withUrl(`${this.hubURL}${hub}` , {
            skipNegotiation: true,
            transport: HttpTransportType.WebSockets,
            accessTokenFactory: () => {
                return `${getToken()}`
            }
        })
        .build();
}

我已经搜索了文档，但是我想知道是否有一种方法可以在不暴露 URL 中的承载 token 的情况下连接和发送请​​求？

Answer 1

来自 documentation

When using WebSockets or Server-Sent Events, the browser client sendsthe access token in the query string. Receiving the access token viaquery string is generally secure as using the standard Authorizationheader. Always use HTTPS to ensure a secure end-to-end connectionbetween the client and the server. Many web servers log the URL foreach request, including the query string. Logging the URLs may log theaccess token. ASP.NET Core logs the URL for each request by default,which will include the query string. For example:

从这个 documentation

In standard web APIs, bearer tokens are sent in an HTTP header.However, SignalR is unable to set these headers in browsers when usingsome transports. When using WebSockets and Server-Sent Events, thetoken is transmitted as a query string parameter.

在我看来，您可以禁用 WebSockets 和 Server-Sent 事件。见 this question关于如何删除 WebSockets 或 Server-Sent 事件。但是随后您退回到长轮询或永久帧，您可能不希望那样。
由于您问题中的 URL 是 https，如果您禁用了请求日志记录，我就不会那么麻烦了。
更改 Microsoft.AspNetCore.Hosting 的日志级别可以在您的 appsettings.json 中完成

{
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      "Microsoft.AspNetCore.Hosting": "Warning"
    }
  }
}