hdygxsj commented on code in PR #13164:
URL:
https://github.com/apache/dolphinscheduler/pull/13164#discussion_r1048170024
##########
dolphinscheduler-ui/src/service/service.ts:
##########
@@ -74,9 +74,12 @@ const err = (err: AxiosError): Promise<AxiosError> => {
service.interceptors.request.use((config: AxiosRequestConfig<any>) => {
config.headers && (config.headers.sessionId = userStore.getSessionId)
const language = cookies.get('language')
+ const sessionId = cookies.get('sessionId')
config.headers = config.headers || {}
if (language) config.headers.language = language
-
+ if (sessionId) {
+ config.headers['X-CSRF-TOKEN'] = sessionId.split('').reverse().join('')
Review Comment:
My current thoughts are as follows,
1. Use the asymmetric encryption algorithm to encrypt. When the front-end
end obtains the sessionId, encrypt it using the public key and store the
ciphertext persistently using pinia. When the back-end interceptor receives the
X-CSRF-TOKEN, decrypt it with the private key and compare it with the
sessionId. This comes at the cost of reducing the throughput of the request.
2. Or the back end can provide a get api for obtaining a token. The back end
generates the token and persists it in the database. However, I feel that the
io cost of querying the database should be higher than that of decrypting.
If the above methods are OK, I can also implement it in this pr
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
