我正在向从 Angular 5 到登录路由的休息服务发出请求,以便它以这种方式(方法 getUserToken)在标头中返回 JWT:
import { Injectable } from '@angular/core';
import { Http, Response, Headers, RequestOptions, URLSearchParams } from "@angular/http";
import 'rxjs/add/operator/map';
import 'rxjs/add/operator/do';
import 'rxjs/add/operator/catch';
import { Observable } from 'rxjs/Rx';
import Config from '../../config/config';
@Injectable()
export class LoginServiceService {
private url: string = Config.serviceRoute;
headers: Headers;
options: RequestOptions;
constructor(private http:Http) {
this.headers = new Headers({ 'Accept': 'application/json',
'Access-Control-Allow-Origin': "*",
'Access-Control-Allow-Headers': "Origin, X-Requested-With, Content-Type, Accept, Authorization, X-Custom-header",
});
this.options = new RequestOptions({ headers: this.headers });
}
getUserToken(test){
console.log("calling /login");
return this.http.post(this.url + 'login', test, this.options)
.map(res => {
let headers = res.headers;
let varaible = headers.get("Authorization");
console.log("My varaible ", varaible);
return res.json;
});
}
}
但是当我探索 MyToken 的 console.log 时,我发现它是空的。据我了解安全措施,我无法在标头中访问某些内容,但是在这种情况下,我如何获得 Authorization 具有的值?
API 返回给我的是标题中的内容:
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, DELETE, PUT, OPTIONS
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, Accept-Encoding, Accept-Language, Host, Referer, Connection, User-Agent, Authorization, sw-useragent, sw-version
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Authorization: Bearer eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJhZG1pbiIsImV4cCI6MTUxNjM3MTY5OX0.DDUF4gb0kXIZP17hFWYUqEVkeT9H0LZDOv4DKxgyktObV60klJhrzrBtv9m5UqWx6lZA0eZzIM1hn9nGp-_bnQ
Content-Length: 0
Date: Fri, 19 Jan 2018 14:11:39 GMT
更新:
当我对标头执行 console.log() 时,它给我带来了这个。
{"Cache-Control":["no-cache"," no-store"," max-age=0"," must-revalidate"],"Expires":["0"],"Pragma":["no-cache"]}
出于某种原因,我看不到授权,我确实从 Mozilla 或 Chrome 看到了授权。
我用英语在 SO上回答了同样的问题:
使用 CORS 时,必须在响应中添加某些标头。您的答案如下:
Access-Control-Allow-Origin: *
表示任何人都可以提出请求。Access-Control-Allow-Methods: GET, POST, DELETE, PUT, OPTIONS
指出您可以使用哪些方法。Access-Control-Allow-Headers: Origin, X-Requested-With, ... Authorization, sw-useragent, sw-version
指示您可以将哪些标头发送到服务器。现在您需要的是以下内容:
此标头定义了服务器发送的哪些标头可以被读取并且不存在于您的响应中。