Я отправляю запрос с почтальоном и могу войти в систему. Используя тот же заголовок и данные, я получаю другой ответ с ax ios в узле.
Я сравнил запрос, используя Fiddler:
data Почтальон:
_csrf=8806aed7-f222-417f-a3aa-a0e3c0876075&loginMail=my.email%40email.com&loginWenkseSessionId=a419116a-0349-4da3-b78f-0012d5964bfb&password=mypassword&fingerprint=3746b536f50ec270a12a7a4e74f3e4a1
data ax ios:
_csrf=8806aed7-f222-417f-a3aa-a0e3c0876075&loginMail=my.email%40email.com&loginWenkseSessionId=a419116a-0349-4da3-b78f-0012d5964bfb&password=mypassword&fingerprint=3746b536f50ec270a12a7a4e74f3e4a1
заголовок почтальона:
POST https://www.my-url.com/page.html?targetUrl=/ HTTP/1.1
Host: www.my-url.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: fr,en;q=0.7,de;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://www.my-url.com/
DNT: 1
Connection: keep-alive
Cookie: JSESSIONID=345619E4B9164E346E099B23C2EA1762-mc5.koeb46-5_i01_1001; rbzid=DcpM4PC9zel6z+f6GAv5kAymylqw001/v299Eg/jfmAzp/jIzSZxjje6++LdfAPK5HlgwAtqDhYScjobif3t21F4I0MqlMIWC7WE61suzUrkmWGJiRvZE2iVsxOZTdeCYI8kt9yAltmgj5v+lz2+SY1rmnKSkCEiV/VfMZ5aaDZT/1WnWRZ/7HXIM5yRd+uzcG4SpJylPSwrNlEF4Z03GURur6nao2uLMV727hBs0GH5dW4run3KoQGS+GbTV4zBifAKIkqyhKoDlVP70w13z3jg5HOdDihROWDG0hROP4jVzbY92gYYQp11AkPhVJtn; rbzsessionid=aa17403285c68f873066a34ca3967ddf;
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Postman-Token: 5851992c-e383-4369-9bf5-93ec71e466e6
Content-Type: application/x-www-form-urlencoded
Content-Length: 216
заголовок топора ios
POST https://www.my-url.com/page.html?targetUrl=/ HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Content-Type: application/x-www-form-urlencoded
host: www.my-url.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0
Accept-Language: fr,en;q=0.7,de;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://www.my-url.com/
DNT: 1
Connection: keep-alive
Cookie: JSESSIONID=345619E4B9164E346E099B23C2EA1762-mc5.koeb46-5_i01_1001; rbzid=DcpM4PC9zel6z+f6GAv5kAymylqw001/v299Eg/jfmAzp/jIzSZxjje6++LdfAPK5HlgwAtqDhYScjobif3t21F4I0MqlMIWC7WE61suzUrkmWGJiRvZE2iVsxOZTdeCYI8kt9yAltmgj5v+lz2+SY1rmnKSkCEiV/VfMZ5aaDZT/1WnWRZ/7HXIM5yRd+uzcG4SpJylPSwrNlEF4Z03GURur6nao2uLMV727hBs0GH5dW4run3KoQGS+GbTV4zBifAKIkqyhKoDlVP70w13z3jg5HOdDihROWDG0hROP4jVzbY92gYYQp11AkPhVJtn; rbzsessionid=aa17403285c68f873066a34ca3967ddf;
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Length: 216
Данные строго идентичны.
Заголовки есть 2 отличия:
- «Хост» от почтальона имеет верхний регистр, топор ios имеет строчный «h» .. хотя мой код имеет верхний регистр, ¯ \ _ (ツ) _ / ¯ (см. ниже)
- у Почтальона есть дополнительный Почтальон-Жетон.
Мой топор ios код:
const postData = qs.stringify({
"_csrf": "8806aed7-f222-417f-a3aa-a0e3c0876075",
"loginMail": "my.email@email.com",
"loginWenkseSessionId": "a419116a-0349-4da3-b78f-0012d5964bfb",
"password": "mypassword",
"fingerprint": "3746b536f50ec270a12a7a4e74f3e4a1"
});
const resp = await axios.post(
loginUrl,
postData,
{
headers:
{
"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0",
"Host": "www.my-url.com",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
"Accept-Language": "fr,en;q=0.7,de;q=0.3",
"Accept-Encoding": "gzip, deflate, br",
"Referer": "https://www.my-url.com/",
"DNT": "1",
"Connection": "keep-alive",
"Cookie": "JSESSIONID=345619E4B9164E346E099B23C2EA1762-mc5.koeb46-5_i01_1001; rbzid=DcpM4PC9zel6z+f6GAv5kAymylqw001/v299Eg/jfmAzp/jIzSZxjje6++LdfAPK5HlgwAtqDhYScjobif3t21F4I0MqlMIWC7WE61suzUrkmWGJiRvZE2iVsxOZTdeCYI8kt9yAltmgj5v+lz2+SY1rmnKSkCEiV/VfMZ5aaDZT/1WnWRZ/7HXIM5yRd+uzcG4SpJylPSwrNlEF4Z03GURur6nao2uLMV727hBs0GH5dW4run3KoQGS+GbTV4zBifAKIkqyhKoDlVP70w13z3jg5HOdDihROWDG0hROP4jVzbY92gYYQp11AkPhVJtn; rbzsessionid=aa17403285c68f873066a34ca3967ddf;",
"Upgrade-Insecure-Requests": "1",
"Cache-Control": "max-age=0",
"Content-Type": "application/x-www-form-urlencoded",
}
}
);
Редактировать: Ответы с сервера:
Топор ios Заголовки и ответ:
status: 200,
statusText: 'OK',
headers: {
server: 'rhino-core-shield',
date: 'Sat, 28 Mar 2020 13:25:04 GMT',
'content-type': 'text/html;charset=UTF-8',
requires_auth: '1',
'set-cookie': [
'JSESSIONID=9364C40A071C826484EC0D96EA2F83AA-mc5.koeb47-31_i01_1001; Path=/; Secure; HttpOnly',
'up=%7B%22ln%22%3A%25548484226%11%7D; Expires=Thu, 24-Sep-2020 13:25:04 GMT; Path=/; Secure',
'GCLB=AB2LnqCH0fobagE; path=/; HttpOnly'
],
'strict-transport-security': 'max-age=31536000',
'x-frame-options': 'DENY',
'x-content-type-options': 'nosniff',
'x-xss-protection': '1; mode=block',
'cache-control': 'no-cache, no-store, max-age=0, must-revalidate',
pragma: 'no-cache',
expires: '0',
'content-language': 'de-DE',
vary: 'Origin, Accept-Encoding',
'x-varnish': '484155822',
age: '0',
'accept-ranges': 'bytes',
via: '1.1 varnish (Varnish/6.0), 1.1 google',
'alt-svc': 'clear',
'transfer-encoding': 'chunked'
},
config: {
url: 'https://www.my-url.com/my-page.html?targetUrl=/',
method: 'post',
data: 'loginMail=my-email%40email.com&_csrf=236a81db-6d63-438f-9b68-e3a76403c61e&password=my-password&fingerprint=3746b536f50ec270a12a7a4e74f3e4a1',
headers: {
Accept: 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0',
'Accept-Language': 'fr,en;q=0.7,de;q=0.3',
'Accept-Encoding': 'gzip, deflate, br',
Referer: 'https://www.my-url.com/',
DNT: '1',
Connection: 'keep-alive',
'Upgrade-Insecure-Requests': '1',
'Cache-Control': 'max-age=0',
Cookie: 'JSESSIONID=345619E4B9164E346E099B23C2EA1762-mc5.koeb46-5_i01_1001; rbzid=DcpM4PC9zel6z+f6GAv5kAymylqw001/v299Eg/jfmAzp/jIzSZxjje6++LdfAPK5HlgwAtqDhYScjobif3t21F4I0MqlMIWC7WE61suzUrkmWGJiRvZE2iVsxOZTdeCYI8kt9yAltmgj5v+lz2+SY1rmnKSkCEiV/VfMZ5aaDZT/1WnWRZ/7HXIM5yRd+uzcG4SpJylPSwrNlEF4Z03GURur6nao2uLMV727hBs0GH5dW4run3KoQGS+GbTV4zBifAKIkqyhKoDlVP70w13z3jg5HOdDihROWDG0hROP4jVzbY92gYYQp11AkPhVJtn; rbzsessionid=aa17403285c68f873066a34ca3967ddf; '
},
transformRequest: [ [Function: transformRequest] ],
transformResponse: [ [Function: transformResponse] ],
timeout: 0,
adapter: [Function: httpAdapter],
xsrfCookieName: 'XSRF-TOKEN',
xsrfHeaderName: 'X-XSRF-TOKEN',
maxContentLength: -1,
validateStatus: [Function: validateStatus]
},
request: ClientRequest {
_events: [Object: null prototype] {
socket: [Function],
abort: [Function],
aborted: [Function],
error: [Function],
timeout: [Function],
prefinish: [Function: requestOnPrefinish]
},
_eventsCount: 6,
_maxListeners: undefined,
outputData: [],
outputSize: 0,
writable: true,
_last: true,
chunkedEncoding: false,
shouldKeepAlive: true,
useChunkedEncodingByDefault: false,
sendDate: false,
_removedConnection: false,
_removedContLen: false,
_removedTE: false,
_contentLength: 0,
_hasBody: true,
_trailer: '',
finished: true,
_headerSent: true,
socket: TLSSocket {
_tlsOptions: [Object],
_secureEstablished: true,
_securePending: false,
_newSessionPending: false,
_controlReleased: true,
_SNICallback: null,
servername: false,
alpnProtocol: false,
authorized: true,
authorizationError: null,
encrypted: true,
_events: [Object: null prototype],
_eventsCount: 8,
connecting: false,
_hadError: false,
_parent: null,
_host: 'www.my-url.com',
_readableState: [ReadableState],
readable: false,
_maxListeners: undefined,
_writableState: [WritableState],
writable: false,
allowHalfOpen: false,
_sockname: null,
_pendingData: null,
_pendingEncoding: '',
server: undefined,
_server: null,
ssl: null,
_requestCert: true,
_rejectUnauthorized: true,
parser: null,
_httpMessage: [Circular],
[Symbol(res)]: null,
[Symbol(asyncId)]: 30,
[Symbol(kHandle)]: null,
[Symbol(lastWriteQueueSize)]: 0,
[Symbol(timeout)]: null,
[Symbol(kBuffer)]: null,
[Symbol(kBufferCb)]: null,
[Symbol(kBufferGen)]: null,
[Symbol(kBytesRead)]: 7787,
[Symbol(kBytesWritten)]: 955,
[Symbol(connect-options)]: [Object]
},
connection: TLSSocket {
_tlsOptions: [Object],
_secureEstablished: true,
_securePending: false,
_newSessionPending: false,
_controlReleased: true,
_SNICallback: null,
servername: false,
alpnProtocol: false,
authorized: true,
authorizationError: null,
encrypted: true,
_events: [Object: null prototype],
_eventsCount: 8,
connecting: false,
_hadError: false,
_parent: null,
_host: 'www.my-url.com',
_readableState: [ReadableState],
readable: false,
_maxListeners: undefined,
_writableState: [WritableState],
writable: false,
allowHalfOpen: false,
_sockname: null,
_pendingData: null,
_pendingEncoding: '',
server: undefined,
_server: null,
ssl: null,
_requestCert: true,
_rejectUnauthorized: true,
parser: null,
_httpMessage: [Circular],
[Symbol(res)]: null,
[Symbol(asyncId)]: 30,
[Symbol(kHandle)]: null,
[Symbol(lastWriteQueueSize)]: 0,
[Symbol(timeout)]: null,
[Symbol(kBuffer)]: null,
[Symbol(kBufferCb)]: null,
[Symbol(kBufferGen)]: null,
[Symbol(kBytesRead)]: 7787,
[Symbol(kBytesWritten)]: 955,
[Symbol(connect-options)]: [Object]
},
_header: 'GET /my-page.html?targetUrl=/m-another-page.html&sessionExpired=true HTTP/1.1\r\n' +
'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\n' +
'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0\r\n' +
'Accept-Language: fr,en;q=0.7,de;q=0.3\r\n' +
'Accept-Encoding: gzip, deflate, br\r\n' +
'Referer: https://www.my-url.com/\r\n' +
'DNT: 1\r\n' +
'Connection: keep-alive\r\n' +
'Upgrade-Insecure-Requests: 1\r\n' +
'Cache-Control: max-age=0\r\n' +
'Cookie: JSESSIONID=345619E4B9164E346E099B23C2EA1762-mc5.koeb46-5_i01_1001; rbzid=DcpM4PC9zel6z+f6GAv5kAymylqw001/v299Eg/jfmAzp/jIzSZxjje6++LdfAPK5HlgwAtqDhYScjobif3t21F4I0MqlMIWC7WE61suzUrkmWGJiRvZE2iVsxOZTdeCYI8kt9yAltmgj5v+lz2+SY1rmnKSkCEiV/VfMZ5aaDZT/1WnWRZ/7HXIM5yRd+uzcG4SpJylPSwrNlEF4Z03GURur6nao2uLMV727hBs0GH5dW4run3KoQGS+GbTV4zBifAKIkqyhKoDlVP70w13z3jg5HOdDihROWDG0hROP4jVzbY92gYYQp11AkPhVJtn; rbzsessionid=aa17403285c68f873066a34ca3967ddf; \r\n' +
'Host: www.my-url.com\r\n' +
'\r\n',
_onPendingData: [Function: noopPendingOutput],
agent: Agent {
_events: [Object: null prototype],
_eventsCount: 1,
_maxListeners: undefined,
defaultPort: 443,
protocol: 'https:',
options: [Object],
requests: {},
sockets: {},
freeSockets: {},
keepAliveMsecs: 1000,
keepAlive: false,
maxSockets: Infinity,
maxFreeSockets: 256,
maxCachedSessions: 100,
_sessionCache: [Object]
},
socketPath: undefined,
method: 'GET',
path: '/my-page.html?targetUrl=/m-another-page.html&sessionExpired=true',
_ended: true,
res: IncomingMessage {
_readableState: [ReadableState],
readable: false,
_events: [Object: null prototype],
_eventsCount: 1,
_maxListeners: undefined,
socket: [TLSSocket],
connection: [TLSSocket],
httpVersionMajor: 1,
httpVersionMinor: 1,
httpVersion: '1.1',
complete: true,
headers: [Object],
rawHeaders: [Array],
trailers: {},
rawTrailers: [],
aborted: false,
upgrade: false,
url: '',
method: null,
statusCode: 200,
statusMessage: 'OK',
client: [TLSSocket],
_consuming: true,
_dumped: false,
req: [Circular],
responseUrl: 'https://www.my-url.com/my-page.html?targetUrl=/m-another-page.html&sessionExpired=true',
redirects: []
},
aborted: false,
timeoutCb: null,
upgradeOrConnect: false,
parser: null,
maxHeadersCount: null,
_redirectable: Writable {
_writableState: [WritableState],
writable: true,
_events: [Object: null prototype],
_eventsCount: 2,
_maxListeners: undefined,
_options: [Object],
_redirectCount: 2,
_redirects: [],
_requestBodyLength: 158,
_requestBodyBuffers: [],
_onNativeResponse: [Function],
_currentRequest: [Circular],
_currentUrl: 'https://www.my-url.com/my-page.html?targetUrl=/m-another-page.html&sessionExpired=true',
_isRedirect: true
},
[Symbol(kNeedDrain)]: false,
[Symbol(isCorked)]: false,
[Symbol(kOutHeaders)]: [Object: null prototype] {
accept: [Array],
'user-agent': [Array],
'accept-language': [Array],
'accept-encoding': [Array],
referer: [Array],
dnt: [Array],
connection: [Array],
'upgrade-insecure-requests': [Array],
'cache-control': [Array],
cookie: [Array],
host: [Array]
}
},
data: <"html of a page telling me my session is over">
Ответ заголовка почтальона:
POST https://www.my-url/m-my-page.html?targetUrl= /
Это 302
GET https://www.my-url/m-another-page.html
GET /m-my-page.html?targetUrl=/ HTTP/1.1
Host: www.my-url
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: fr,en;q=0.7,de;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://www.my-url/m-my-page.html?targetUrl=/
DNT: 1
Connection: keep-alive
Cookie: JSESSIONID=345619E4B9164E346E099B23C2EA1762-mc5.koeb46-5_i01_1001; rbzid=DcpM4PC9zel6z+f6GAv5kAymylqw001/v299Eg/jfmAzp/jIzSZxjje6++LdfAPK5HlgwAtqDhYScjobif3t21F4I0MqlMIWC7WE61suzUrkmWGJiRvZE2iVsxOZTdeCYI8kt9yAltmgj5v+lz2+SY1rmnKSkCEiV/VfMZ5aaDZT/1WnWRZ/7HXIM5yRd+uzcG4SpJylPSwrNlEF4Z03GURur6nao2uLMV727hBs0GH5dW4run3KoQGS+GbTV4zBifAKIkqyhKoDlVP70w13z3jg5HOdDihROWDG0hROP4jVzbY92gYYQp11AkPhVJtn; rbzsessionid=aa17403285c68f873066a34ca3967ddf;; up=%7B%22ln%22%3A%22333539628%22%7D; wl=%7B%22l%22%3A%22%22%7D; GCLB=COiZgvKeiYvIhQE; JSESSIONID=9DC4DFDABFF9EB02F8666D8D9503CB8E-mc5.koeb47-12_i01_1001
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Postman-Token: 37d36a4b-f4a1-4493-94c5-719298b764ee
loginMail=my-email%40email.com&_csrf=236a81db-6d63-438f-9b68-e3a76403c61e&password=my-password&fingerprint=3746b536f50ec270a12a7a4e74f3e4a1
HTTP/1.1 200 OK
Server: rhino-core-shield
Date: Sat, 28 Mar 2020 13:48:09 GMT
Content-Type: text/html;charset=UTF-8
Strict-Transport-Security: max-age=31536000
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
Content-Language: de-DE
Content-Encoding: gzip
Vary: Origin, Accept-Encoding
X-Varnish: 484102076
Age: 0
Accept-Ranges: bytes
Via: 1.1 varnish (Varnish/6.0), 1.1 google
Alt-Svc: clear
Transfer-Encoding: chunked
Данные ответа почтальона HTML, когда я вошел в систему.
Я попытался использовать другой код сервера Node, сгенерированный почтальоном, но безуспешно. Обратите внимание, что один и тот же запрос почтальона может быть успешно отправлен несколько раз. Поле CSRF не уникально для запроса.
Что я могу забыть?