47 KiB
HttpClient
HttpClient 库
Most front-end applications communicate with backend services over the HTTP protocol. Modern browsers support two different APIs for making HTTP requests: the XMLHttpRequest
interface and the fetch()
API.
大多数前端应用都需要通过 HTTP 协议与后端服务器通讯。现代浏览器支持使用两种不同的 API 发起 HTTP 请求:XMLHttpRequest
接口和 fetch()
API。
The HttpClient
in @angular/common/http
offers a simplified client HTTP API for Angular applications
that rests on the XMLHttpRequest
interface exposed by browsers.
Additional benefits of HttpClient
include testability features, typed request and response objects, request and response interception, Observable
apis, and streamlined error handling.
@angular/common/http
中的HttpClient
类为 Angular 应用程序提供了一个简化的 API 来实现 HTTP 客户端功能。它基于浏览器提供的XMLHttpRequest
接口。
HttpClient
带来的其它优点包括:可测试性、强类型的请求和响应对象、发起请求与接收响应时的拦截器支持,以及更好的、基于可观察(Observable)对象的 API 以及流式错误处理机制。
You can run the that accompanies this guide.
The sample app does not require a data server.
It relies on the
Angular in-memory-web-api,
which replaces the HttpClient module's HttpBackend
.
The replacement service simulates the behavior of a REST-like backend.
Look at the AppModule
imports to see how it is configured.
Setup
Before you can use the HttpClient
, you need to import the Angular HttpClientModule
.
Most apps do so in the root AppModule
.
Having imported HttpClientModule
into the AppModule
, you can inject the HttpClient
into an application class as shown in the following ConfigService
example.
Getting JSON data
Applications often request JSON data from the server.
For example, the app might need a configuration file on the server, config.json
,
that specifies resource URLs.
The ConfigService
fetches this file with a get()
method on HttpClient
.
A component, such as ConfigComponent
, injects the ConfigService
and calls
the getConfig
service method.
Because the service method returns an Observable
of configuration data,
the component subscribes to the method's return value.
The subscription callback copies the data fields into the component's config
object,
which is data-bound in the component template for display.
Why write a service
This example is so simple that it is tempting to write the Http.get()
inside the
component itself and skip the service.
However, data access rarely stays this simple. You typically post-process the data, add error handling, and maybe some retry logic to cope with intermittent connectivity.
The component quickly becomes cluttered with data access minutia. The component becomes harder to understand, harder to test, and the data access logic can't be re-used or standardized.
That's why it is a best practice to separate presentation of data from data access by encapsulating data access in a separate service and delegating to that service in the component, even in simple cases like this one.
Type-checking the response
The subscribe callback above requires bracket notation to extract the data values.
You can't write data.heroesUrl
because TypeScript correctly complains that the data
object from the service does not have a heroesUrl
property.
The HttpClient.get()
method parsed the JSON server response into the anonymous Object
type. It doesn't know what the shape of that object is.
You can tell HttpClient
the type of the response to make consuming the output easier and more obvious.
First, define an interface with the correct shape:
Then, specify that interface as the HttpClient.get()
call's type parameter in the service:
The callback in the updated component method receives a typed data object, which is easier and safer to consume:
Reading the full response
读取完整的响应体
The response body doesn't return all the data you may need. Sometimes servers return special headers or status codes to indicate certain conditions that are important to the application workflow.
响应体可能并不包含我们需要的全部信息。有时候服务器会返回一个特殊的响应头或状态码,以标记出特定的条件,因此读取它们可能是必要的。
Tell HttpClient
that you want the full response with the observe
option:
要这样做,我们就要通过observe
选项来告诉HttpClient
,你想要完整的响应信息,而不是只有响应体:
Now HttpClient.get()
returns an Observable
of typed HttpResponse
rather than just the JSON data.
The component's showConfigResponse()
method displays the response headers as well as the configuration:
As you can see, the response object has a body
property of the correct type.
Error handling
错误处理
What happens if the request fails on the server, or if a poor network connection prevents it from even reaching the server? HttpClient
will return an error object instead of a successful response.
如果这个请求导致了服务器错误怎么办?甚至,在烂网络下请求都没到服务器该怎么办?HttpClient
就会返回一个错误(error)而不再是成功的响应。
You could handle in the component by adding a second callback to the .subscribe()
:
It's certainly a good idea to give the user some kind of feedback when data access fails.
But displaying the raw error object returned by HttpClient
is far from the best way to do it.
{@a error-details}
Getting error details
获取错误详情
Detecting that an error occurred is one thing. Interpreting that error and composing a user-friendly response is a bit more involved.
检测错误的发生是第一步,不过如果知道具体发生了什么错误才会更有用。上面例子中传给回调函数的err
参数的类型是HttpErrorResponse
,它包含了这个错误中一些很有用的信息。
Two types of errors can occur. The server backend might reject the request, returning an HTTP response with a status code such as 404 or 500. These are error responses.
可能发生的错误分为两种。如果后端返回了一个失败的返回码(如404、500等),它会返回一个错误响应体。
Or something could go wrong on the client-side such as a network error that prevents the request from completing successfully or an exception thrown in an RxJS operator. These errors produce JavaScript ErrorEvent
objects.
或者,如果在客户端这边出了错误(比如在RxJS操作符中抛出的异常或某些阻碍完成这个请求的网络错误),就会抛出一个Error
类型的异常。
The HttpClient
captures both kinds of errors in its HttpErrorResponse
and you can inspect that response to figure out what really happened.
Error inspection, interpretation, and resolution is something you want to do in the service, not in the component.
You might first devise an error handler like this one:
Notice that this handler returns an RxJS ErrorObservable
with a user-friendly error message.
Consumers of the service expect service methods to return an Observable
of some kind,
even a "bad" one.
Now you take the Observables
returned by the HttpClient
methods
and pipe them through to the error handler.
retry()
Sometimes the error is transient and will go away automatically if you try again. For example, network interruptions are common in mobile scenarios, and trying again may produce a successful result.
The RxJS library offers several retry operators that are worth exploring.
The simplest is called retry()
and it automatically re-subscribes to a failed Observable
a specified number of times. Re-subscribing to the result of an HttpClient
method call has the effect of reissuing the HTTP request.
Pipe it onto the HttpClient
method result just before the error handler.
{@a rxjs}
Observables and operators
The previous sections of this guide referred to RxJS Observables
and operators such as catchError
and retry
.
You will encounter more RxJS artifacts as you continue below.
RxJS is a library for composing asynchronous and callback-based code
in a functional, reactive style.
Many Angular APIs, including HttpClient
, produce and consume RxJS Observables
.
RxJS itself is out-of-scope for this guide. You will find many learning resources on the web.
While you can get by with a minimum of RxJS knowledge, you'll want to grow your RxJS skills over time in order to use HttpClient
effectively.
If you're following along with these code snippets, note that you must import the RxJS observable and operator symbols that appear in those snippets. These ConfigService
imports are typical.
Requesting non-JSON data
Not all APIs return JSON data. In this next example,
a DownloaderService
method reads a text file from the server
and logs the file contents, before returning those contents to the caller
as an Observable<string>
.
HttpClient.get()
returns a string rather than the default JSON because of the responseType
option.
The RxJS tap
operator (as in "wiretap") lets the code inspect good and error values passing through the observable without disturbing them.
A download()
method in the DownloaderComponent
initiates the request by subscribing to the service method.
Sending data to the server
把数据发送到服务器
In addition to fetching data from the server, HttpClient
supports mutating requests, that is, sending data to the server with other HTTP methods such as PUT, POST, and DELETE.
The sample app for this guide includes a simplified version of the "Tour of Heroes" example that fetches heroes and enables users to add, delete, and update them.
The following sections excerpt methods of the sample's HeroesService
.
Adding headers
Many servers require extra headers for save operations. For example, they may require a "Content-Type" header to explicitly declare the MIME type of the request body. Or perhaps the server requires an authorization token.
The HeroesService
defines such headers in an httpOptions
object that will be passed
to every HttpClient
save method.
Making a POST request
发起一个 POST 请求
Apps often POST data to a server. They POST when submitting a form.
In the following example, the HeroService
posts when adding a hero to the database.
The HttpClient.post()
method is similar to get()
in that it has a type parameter
(you're expecting the server to return the new hero)
and it takes a resource URL.
It takes two more parameters:
hero
- the data to POST in the body of the request.httpOptions
- the method options which, in this case, specify required headers.
Of course it catches errors in much the same manner described above. It also taps the returned observable in order to log the successful POST.
The HeroesComponent
initiates the actual POST operation by subscribing to
the Observable
returned by this service method.
When the server responds successfully with the newly added hero, the component adds
that hero to the displayed heroes
list.
Making a DELETE request
This application deletes a hero with the HttpClient.delete
method by passing the hero's id
in the request URL.
The HeroesComponent
initiates the actual DELETE operation by subscribing to
the Observable
returned by this service method.
You must call subscribe() or nothing happens!
The component isn't expecting a result from the delete operation and
subscribes without a callback.
The bare .subscribe()
seems pointless.
In fact, it is essential.
Merely calling HeroService.deleteHero()
does not initiate the DELETE request.
{@a always-subscribe}
Always subscribe!
An HttpClient
method does not begin its HTTP request until you call subscribe()
on the observable returned by that method. This is true for all HttpClient
methods.
The AsyncPipe
subscribes (and unsubscribes) for you automatically.
All observables returned from HttpClient
methods are cold by design.
Execution of the HTTP request is deferred, allowing you to extend the
observable with additional operations such as tap
and catchError
before anything actually happens.
Calling subscribe(...)
triggers execution of the observable and causes
HttpClient
to compose and send the HTTP request to the server.
You can think of these observables as blueprints for actual HTTP requests.
In fact, each subscribe()
initiates a separate, independent execution of the observable.
Subscribing twice results in two HTTP requests.
注意这个subscribe()
方法。 所有从HttpClient
返回的可观察对象都是冷的(cold),也就是说,它们只是发起请求的蓝图而已。在我们调用subscribe()
之前,什么都不会发生,而当我们每次调用subscribe()
时,就会独立发起一次请求。
比如,下列代码会使用同样的数据发送两次同样的 POST 请求:
const req = http.get<Heroes>('/api/heroes');
// 0 requests made - .subscribe() not called.
req.subscribe();
// 1 request made.
req.subscribe();
// 2 requests made.
Making a PUT request
An app will send a PUT request to completely replace a resource with updated data.
The following HeroService
example is just like the POST example.
For the reasons explained above, the caller (HeroesComponent.update()
in this case) must subscribe()
to the observable returned from the HttpClient.put()
in order to initiate the request.
Advanced usage
The above sections detail how to use the basic HTTP functionality in @angular/common/http
, but sometimes you need to do more than make simple requests and get data back.
Configuring the request
Other aspects of an outgoing request can be configured via the options object
passed as the last argument to the HttpClient
method.
You saw earlier that the HeroService
sets the default headers by
passing an options object (httpOptions
) to its save methods.
You can do more.
Update headers
You can't directly modify the existing headers within the previous options
object because instances of the HttpHeaders
class are immutable.
Use the set()
method instead.
It returns a clone of the current instance with the new changes applied.
Here's how you might update the authorization header (after the old token expired) before making the next request.
HttpHeaders
类是不可变对象(immutable),所以每个set()
都会返回一个新实例,并且应用上这些修改。
URL Parameters
URL 参数
Adding URL search parameters works a similar way.
Here is a searchHeroes
method that queries for heroes whose names contain the search term.
If there is a search term, the code constructs an options object with an HTML URL encoded search parameter. If the term were "foo", the GET request URL would be api/heroes/?name=foo
.
The HttpParms
are immutable so you'll have to use the set()
method to update the options.
Debouncing requests
The sample includes an npm package search feature.
When the user enters a name in a search-box, the PackageSearchComponent
sends
a search request for a package with that name to the NPM web api.
Here's a pertinent excerpt from the template:
The (keyup)
event binding sends every keystroke to the component's search()
method.
Sending a request for every keystroke could be expensive. It's better to wait until the user stops typing and then send a request. That's easy to implement with RxJS operators, as shown in this excerpt.
The searchText$
is the sequence of search-box values coming from the user.
It's defined as an RxJS Subject
, which means it is an Observable
that can also produce values for itself by calling next(value)
,
as happens in the search()
method.
Rather than forward every searchText
value directly to the injected PackageSearchService
,
the code in ngOnInit()
pipes search values through three operators:
debounceTime(500)
- wait for the user to stop typing (1/2 second in this case).distinctUntilChanged()
- wait until the search text changes.switchMap()
- send the search request to the service.
The code sets packages$
to this re-composed Observable
of search results.
The template subscribes to packages$
with the AsyncPipe
and displays search results as they arrive.
A search value reaches the service only if it's a new value and the user has stopped typing.
The withRefresh
option is explained below.
switchMap()
The switchMap()
operator has three important characteristics.
-
It takes a function argument that returns an
Observable
.PackageSearchService.search
returns anObservable
, as other data service methods do. -
If a previous search request is still in-flight (as when the connection is poor), it cancels that request and sends a new one.
-
It returns service responses in their original request order, even if the server returns them out of order.
If you think you'll reuse this debouncing logic,
consider moving it to a utility function or into the PackageSearchService
itself.
Intercepting requests and responses
HTTP Interception is a major feature of @angular/common/http
.
With interception, you declare interceptors that inspect and transform HTTP requests from your application to the server.
The same interceptors may also inspect and transform the server's responses on their way back to the application.
Multiple interceptors form a forward-and-backward chain of request/response handlers.
Interceptors can perform a variety of implicit tasks, from authentication to logging, in a routine, standard way, for every HTTP request/response.
Without interception, developers would have to implement these tasks explicitly
for each HttpClient
method call.
Write an interceptor
To implement an interceptor, declare a class that implements the intercept()
method of the HttpInterceptor
interface.
Here is a do-nothing noop interceptor that simply passes the request through without touching it:
The intercept
method transforms a request into an Observable
that eventually returns the HTTP response.
In this sense, each interceptor is fully capable of handling the request entirely by itself.
Most interceptors inspect the request on the way in and forward the (perhaps altered) request to the handle()
method of the next
object which implements the HttpHandler
interface.
export abstract class HttpHandler {
abstract handle(req: HttpRequest<any>): Observable<HttpEvent<any>>;
}
Like intercept()
, the handle()
method transforms an HTTP request into an Observable
of HttpEvents
which ultimately include the server's response. The intercept()
method could inspect that observable and alter it before returning it to the caller.
This no-op interceptor simply calls next.handle()
with the original request and returns the observable without doing a thing.
The next object
The next
object represents the next interceptor in the chain of interceptors.
The final next
in the chain is the HttpClient
backend handler that sends the request to the server and receives the server's response.
Most interceptors call next.handle()
so that the request flows through to the next interceptor and, eventually, the backend handler.
An interceptor could skip calling next.handle()
, short-circuit the chain, and return its own Observable
with an artificial server response.
This is a common middleware pattern found in frameworks such as Express.js.
Provide the interceptor
The NoopInterceptor
is a service managed by Angular's dependency injection (DI) system.
Like other services, you must provide the interceptor class before the app can use it.
Because interceptors are (optional) dependencies of the HttpClient
service,
you must provide them in the same injector (or a parent of the injector) that provides HttpClient
.
Interceptors provided after DI creates the HttpClient
are ignored.
This app provides HttpClient
in the app's root injector, as a side-effect of importing the HttpClientModule
in AppModule
.
You should provide interceptors in AppModule
as well.
After importing the HTTP_INTERCEPTORS
injection token from @angular/common/http
,
write the NoopInterceptor
provider like this:
Note the multi: true
option.
This required setting tells Angular that HTTP_INTERCEPTORS
is a token for a multiprovider
that injects an array of values, rather than a single value.
You could add this provider directly to the providers array of the AppModule
.
However, it's rather verbose and there's a good chance that
you'll create more interceptors and provide them in the same way.
You must also pay close attention to the order
in which you provide these interceptors.
Consider creating a "barrel" file that gathers all the interceptor providers into an httpInterceptorProviders
array, starting with this first one, the NoopInterceptor
.
Then import and add it to the AppModule
providers array like this:
As you create new interceptors, add them to the httpInterceptorProviders
array and
you won't have to revisit the AppModule
.
There are many more interceptors in the complete sample code.
Interceptor order
Angular applies interceptors in the order that you provide them. If you provide interceptors A, then B, then C, requests will flow in A->B->C and responses will flow out C->B->A.
You cannot change the order or remove interceptors later. If you need to enable and disable an interceptor dynamically, you'll have to build that capability into the interceptor itself.
HttpEvents
You may have expected the intercept()
and handle()
methods to return observables of HttpResponse<any>
as most HttpClient
methods do.
Instead they return observables of HttpEvent<any>
.
That's because interceptors work at a lower level than those HttpClient
methods. A single HTTP request can generate multiple events, including upload and download progress events. The HttpResponse
class itself is actually an event, whose type is HttpEventType.HttpResponseEvent
.
Many interceptors are only concerned with the outgoing request and simply return the event stream from next.handle()
without modifying it.
But interceptors that examine and modify the response from next.handle()
will see all of these events.
Your interceptor should return every event untouched unless it has a compelling reason to do otherwise.
Immutability
Although interceptors are capable of mutating requests and responses,
the HttpRequest
and HttpResponse
instance properties are readonly
,
rendering them largely immutable.
They are immutable for a good reason: the app may retry a request several times before it succeeds, which means that the interceptor chain may re-process the same request multiple times. If an interceptor could modify the original request object, the re-tried operation would start from the modified request rather than the original. Immutability ensures that interceptors see the same request for each try.
TypeScript will prevent you from setting HttpRequest
readonly properties.
// Typescript disallows the following assignment because req.url is readonly
req.url = req.url.replace('http://', 'https://');
To alter the request, clone it first and modify the clone before passing it to next.handle()
.
You can clone and modify the request in a single step as in this example.
The clone()
method's hash argument allows you to mutate specific properties of the request while copying the others.
The request body
The readonly
assignment guard can't prevent deep updates and, in particular,
it can't prevent you from modifying a property of a request body object.
req.body.name = req.body.name.trim(); // bad idea!
If you must mutate the request body, copy it first, change the copy,
clone()
the request, and set the clone's body with the new body, as in the following example.
Clearing the request body
Sometimes you need to clear the request body rather than replace it.
If you set the cloned request body to undefined
, Angular assumes you intend to leave the body as is.
That is not what you want.
If you set the cloned request body to null
, Angular knows you intend to clear the request body.
这种克隆一个请求并设置一组新的请求头的操作非常常见,因此有了一种快捷写法:
newReq = req.clone({ ... }); // body not mentioned => preserve original body
newReq = req.clone({ body: undefined }); // preserve original body
newReq = req.clone({ body: null }); // clear the body
Set default headers
Apps often use an interceptor to set default headers on outgoing requests.
The sample app has an AuthService
that produces an authorization token.
Here is its AuthInterceptor
that injects that service to get the token and
adds an authorization header with that token to every outgoing request:
The practice of cloning a request to set new headers is so common that
there's a setHeaders
shortcut for it:
An interceptor that alters headers can be used for a number of different operations, including:
这种可以修改头的拦截器可以用于很多不同的操作,比如:
-
Authentication/authorization
认证 / 授权
-
Caching behavior; for example,
If-Modified-Since
控制缓存行为。比如
If-Modified-Since
-
XSRF protection
XSRF 防护
Logging
记日志
Because interceptors can process the request and response together, they can do things like time and log an entire HTTP operation.
Consider the following LoggingInterceptor
, which captures the time of the request,
the time of the response, and logs the outcome with the elapsed time
with the injected MessageService
.
The RxJS tap
operator captures whether the request succeed or failed.
The RxJS finalize
operator is called when the response observable either errors or completes (which it must),
and reports the outcome to the MessageService
.
Neither tap
nor finalize
touch the values of the observable stream returned to the caller.
Caching
缓存
Interceptors can handle requests by themselves, without forwarding to next.handle()
.
For example, you might decide to cache certain requests and responses to improve performance. You can delegate caching to an interceptor without disturbing your existing data services.
The CachingInterceptor
demonstrates this approach.
The isCachable()
function determines if the request is cachable.
In this sample, only GET requests to the npm package search api are cachable.
If the request is not cachable, the interceptor simply forwards the request to the next handler in the chain.
If a cachable request is found in the cache, the interceptor returns an of()
observable with
the cached response, by-passing the next
handler (and all other interceptors downstream).
If a cachable request is not in cache, the code calls sendRequest
.
{@a send-request}
The sendRequest
function creates a request clone without headers
because the npm api forbids them.
It forwards that request to next.handle()
which ultimately calls the server and
returns the server's response.
Note how sendRequest
intercepts the response on its way back to the application.
It pipes the response through the tap()
operator,
whose callback adds the response to the cache.
The original response continues untouched back up through the chain of interceptors to the application caller.
Data services, such as PackageSearchService
, are unaware that
some of their HttpClient
requests actually return cached responses.
{@a cache-refresh}
Return a multi-valued Observable
The HttpClient.get()
method normally returns an observable
that either emits the data or an error.
Some folks describe it as a "one and done" observable.
But an interceptor can change this to an observable that emits more than once.
A revised version of the CachingInterceptor
optionally returns an observable that
immediately emits the cached response, sends the request to the npm web api anyway,
and emits again later with the updated search results.
The cache-then-refresh option is triggered by the presence of a custom x-refresh
header.
A checkbox on the PackageSearchComponent
toggles a withRefresh
flag,
which is one of the arguments to PackageSearchService.search()
.
That search()
method creates the custom x-refresh
header
and adds it to the request before calling HttpClient.get()
.
The revised CachingInterceptor
sets up a server request
whether there's a cached value or not,
using the same sendRequest()
method described above.
The results$
observable will make the request when subscribed.
If there's no cached value, the interceptor returns results$
.
If there is a cached value, the code pipes the cached response onto
results$
, producing a recomposed observable that emits twice,
the cached response first (and immediately), followed later
by the response from the server.
Subscribers see a sequence of two responses.
现在,如果 URL 被缓存过,那么任何人调用http.get(url)
时都会收到两次响应。
Listening to progress events
监听进度事件
Sometimes applications transfer large amounts of data and those transfers can take a long time. File uploads are a typical example. Give the users a better experience by providing feedback on the progress of such transfers.
To make a request with progress events enabled, you can create an instance of HttpRequest
with the reportProgress
option set true to enable tracking of progress events.
Every progress event triggers change detection, so only turn them on if you truly intend to report progress in the UI.
Next, pass this request object to the HttpClient.request()
method, which
returns an Observable
of HttpEvents
, the same events processed by interceptors:
The getEventMessage
method interprets each type of HttpEvent
in the event stream.
The sample app for this guide doesn't have a server that accepts uploaded files.
The UploadInterceptor
in app/http-interceptors/upload-interceptor.ts
intercepts and short-circuits upload requests
by returning an observable of simulated events.
Security: XSRF Protection
安全:XSRF 防护
Cross-Site Request Forgery (XSRF) is an attack technique by which the attacker can trick an authenticated user into unknowingly executing actions on your website. HttpClient
supports a common mechanism used to prevent XSRF attacks. When performing HTTP requests, an interceptor reads a token from a cookie, by default XSRF-TOKEN
, and sets it as an HTTP header, X-XSRF-TOKEN
. Since only code that runs on your domain could read the cookie, the backend can be certain that the HTTP request came from your client application and not an attacker.
跨站请求伪造 (XSRF)是一个攻击技术,它能让攻击者假冒一个已认证的用户在你的网站上执行未知的操作。HttpClient
支持一种通用的机制来防范 XSRF 攻击。当执行 HTTP 请求时,一个拦截器会从cookie中读取 XSRF 令牌(默认名字为XSRF-TOKEN
),并且把它设置为一个 HTTP 头 X-XSRF-TOKEN
,由于只有运行在我们自己的域名下的代码才能读取这个 cookie,因此后端可以确认这个 HTTP 请求真的来自我们的客户端应用,而不是攻击者。
By default, an interceptor sends this cookie on all mutating requests (POST, etc.) to relative URLs but not on GET/HEAD requests or on requests with an absolute URL.
默认情况下,拦截器会在所有的修改型请求中(比如POST等)把这个 cookie 发送给使用相对URL的请求。但不会在 GET/HEAD 请求中发送,也不会发送给使用绝对 URL 的请求。
To take advantage of this, your server needs to set a token in a JavaScript readable session cookie called XSRF-TOKEN
on either the page load or the first GET request. On subsequent requests the server can verify that the cookie matches the X-XSRF-TOKEN
HTTP header, and therefore be sure that only code running on your domain could have sent the request. The token must be unique for each user and must be verifiable by the server; this prevents the client from making up its own tokens. Set the token to a digest of your site's authentication
cookie with a salt for added security.
要获得这种优点,我们的服务器需要在页面加载或首个 GET 请求中把一个名叫XSRF-TOKEN
的令牌写入可被 JavaScript 读到的会话 cookie 中。
而在后续的请求中,服务器可以验证这个 cookie 是否与 HTTP 头 X-XSRF-TOKEN
的值一致,以确保只有运行在我们自己域名下的代码才能发起这个请求。这个令牌必须对每个用户都是唯一的,并且必须能被服务器验证,因此不能由客户端自己生成令牌。把这个令牌设置为你的站点认证信息并且加了盐(salt)的摘要,以提升安全性。
In order to prevent collisions in environments where multiple Angular apps share the same domain or subdomain, give each application a unique cookie name.
为了防止多个 Angular 应用共享同一个域名或子域时出现冲突,要给每个应用分配一个唯一的 cookie 名称。
注意,HttpClient
支持的只是 XSRF 防护方案的客户端这一半。 我们的后端服务必须配置为给页面设置 cookie ,并且要验证请求头,以确保全都是合法的请求。否则,Angular 默认的这种防护措施就会失效。
Configuring custom cookie/header names
配置自定义 cookie/header 名称
If your backend service uses different names for the XSRF token cookie or header,
use HttpClientXsrfModule.withOptions()
to override the defaults.
如果我们的后端服务中对 XSRF 令牌的 cookie 或 头使用了不一样的名字,就要使用 HttpClientXsrfModule.withConfig()
来覆盖掉默认值。
Testing HTTP requests
测试 HTTP 请求
Like any external dependency, the HTTP backend needs to be mocked
so your tests can simulate interaction with a remote server.
The @angular/common/http/testing
library makes
setting up such mocking straightforward.
如同所有的外部依赖一样,HTTP 后端也需要在良好的测试实践中被 Mock 掉。@angular/common/http
提供了一个测试库 @angular/common/http/testing
,它让我们可以直截了当的进行这种 Mock 。
Mocking philosophy
Mock 方法论
Angular's HTTP testing library is designed for a pattern of testing wherein the the app executes code and makes requests first.
Then a test expects that certain requests have or have not been made, performs assertions against those requests, and finally provide responses by "flushing" each expected request.
At the end, tests may verify that the app has made no unexpected requests.
You can run these sample tests in a live coding environment.
The tests described in this guide are in src/testing/http-client.spec.ts
.
There are also tests of an application data service that call HttpClient
in
src/app/heroes/heroes.service.spec.ts
.
Angular 的 HTTP 测试库是为这种模式的测试而设计的:应用执行代码并首先发起请求,之后,测试代码会期待(expect)特定的请求发起过或没发起,然后对那些请求进行断言,最终,通过刷新(flushing)每个被期待的请求来提供响应,此后还可能会触发更多新的请求。最后,测试代码还可以根据需要去验证应用不曾发起过预期之外的请求。
Setup
初始设置
To begin testing calls to HttpClient
,
import the HttpClientTestingModule
and the mocking controller, HttpTestingController
,
along with the other symbols your tests require.
要开始测试那些通过HttpClient
发起的请求,就要导入HttpClientTestingModule
模块,并把它加到你的TestBed
设置里去,代码如下:
Then add the HttpClientTestingModule
to the TestBed
and continue with
the setup of the service-under-test.
Now requests made in the course of your tests will hit the testing backend instead of the normal backend.
This setup also calls TestBed.get()
to inject the HttpClient
service and the mocking controller
so they can be referenced during the tests.
Expecting and answering requests
期待并回复请求
Now you can write a test that expects a GET Request to occur and provides a mock response.
The last step, verifying that no requests remain outstanding, is common enough for you to move it into an afterEach()
step:
Custom request expectations
自定义请求的预期
If matching by URL isn't sufficient, it's possible to implement your own matching function. For example, you could look for an outgoing request that has an authorization header:
As with the previous expectOne()
,
the test will fail if 0 or 2+ requests satisfy this predicate.
和前面根据 URL 进行测试时一样,如果零或两个以上的请求匹配上了这个期待,它就会抛出异常。
Handling more than one request
处理一个以上的请求
If you need to respond to duplicate requests in your test, use the match()
API instead of expectOne()
.
It takes the same arguments but returns an array of matching requests.
Once returned, these requests are removed from future matching and
you are responsible for flushing and verifying them.
如果我们需要在测试中对重复的请求进行响应,可以使用match()
API 来代替 expectOne()
,它的参数不变,但会返回一个与这些请求相匹配的数组。一旦返回,这些请求就会从将来要匹配的列表中移除,我们要自己验证和刷新(flush)它。
Testing for errors
You should test the app's defenses against HTTP requests that fail.
Call request.error()
with an ErrorEvent
instead of request.flush()
, as in this example.