.net core 自定义api保护和处理浏览器跨域是产生的OPTIONS预检请求
.自定义HandlerMiddleware
public class v2HandlerMiddleware { private readonly RequestDelegate next; public v2HandlerMiddleware(RequestDelegate next) { this.next = next; } /// <summary> /// Invoke /// </summary> /// <param name="context"></param> /// <returns></returns> public async Task Invoke(HttpContext context) {
//正确处理浏览器跨域是产生的OPTIONS预检请求,否则浏览器不允许跨域,报预检不允许重定向
//Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.错误 if (context.Request.Method.ToUpper() == "OPTIONS") { if(v2AppConfiguration.App.CorsOrigins.Contains(context.Request.Headers["Origin"]))//如果请求地址是允许跨域地址 { context.Response.Headers.Add("Access-Control-Allow-Origin", context.Request.Headers["Origin"]); context.Response.Headers.Add("Access-Control-Allow-Headers", context.Request.Headers["Access-Control-Request-Headers"]); } return; } var fAuthResult = await AuthToken(context); if (!fAuthResult.Success) { return; } try { await next(context); } catch (Exception exception) { fAuthResult.Failed(exception); } finally { var statusCode = context.Response.StatusCode; if (statusCode < 200 || statusCode >= 400) { await ExceptionHandlerAsync(context, statusCode.ToString()); } if(!fAuthResult.Success) { await context.Response.WriteAsync(fAuthResult.ToJson()); } } } /// <summary> /// 异常处理,返回JSON /// </summary> /// <param name="context"></param> /// <param name="message"></param> /// <returns></returns> private Task ExceptionHandlerAsync(HttpContext context, string message) { context.Response.ContentType = "application/json;charset=utf-8"; var result = new v2Result(); Enum.TryParse(typeof(HttpStatusCode), message, out object statusDescription); result.Failed(statusDescription.ToString(), message); return context.Response.WriteAsync(result.ToJson()); } /// <summary> /// 异常处理,返回JSON /// </summary> /// <param name="context"></param> /// <param name="message"></param> /// <returns></returns> private async Task<v2Result> AuthToken(HttpContext context) { v2Result fResult = new v2Result(); var request = context.Request; //需要排除的地址 if (v2AppConfiguration.ApiEncrypt.Enable && !request.Path.Value.StartsWith("/swagger") && !request.Path.Value.StartsWith("/Home") && request.Path.Value != "/") { if (request.Headers.ContainsKey("v2_platform_auth_token")) {
//读取加密key var fAuthValue = request.Headers["v2_platform_auth_token"]; try { var fValue = EncryptHelper.AESDecode(fAuthValue, v2AppConfiguration.ApiEncrypt.Key, v2AppConfiguration.ApiEncrypt.Key.Length); //校验加密token时间戳,过期则无效 if (DateTimeOffset.UtcNow.ToUnixTimeMilliseconds() - fValue.To<long>() > v2AppConfiguration.ApiEncrypt.Time) { context.Response.ContentType = "application/json;charset=utf-8"; fResult.Failed("非法访问!"); await context.Response.WriteAsync(fResult.ToJson()); } else { fResult.Successed(); } } catch (Exception) { context.Response.ContentType = "application/json;charset=utf-8"; fResult.Failed("非法访问!"); await context.Response.WriteAsync(fResult.ToJson()); } } else { context.Response.ContentType = "application/json;charset=utf-8"; fResult.Failed("非法访问!"); await context.Response.WriteAsync(fResult.ToJson()); } } else { fResult.Successed(); } return fResult; } }
参考:https://ningyu1.github.io/site/post/92-cors-ajax/
浙公网安备 33010602011771号