I want to disable CSRF checks when I'm running under the TestServer so I don't have to read and send the token when running automated tests.
Due to the abundance of "helpful magic" creeping into ASP.NET Core I am stuck.
There's nothing in the template code that obviously adds this, and yet looking at the filters in the debugger during this services.AddMvc(options => options.Filters) call shows no global filter.
This code also does not work.
mvcOptions.Filters.Add<IgnoreAntiforgeryTokenAttribute>(0);
And the Antiforgery.Options does not have a disable option.
How can I do this?
Try this:
services.AddMvc().AddRazorPagesOptions(o =>
{
o.Conventions.ConfigureFilter(new IgnoreAntiforgeryTokenAttribute());
});
You can also ignore it at the PageModel:
[IgnoreAntiforgeryToken(Order = 1001)]
public class IndexModel : PageModel
Regarding the the Order parameter: The built in [ValidateAntiforgeryToken] decorator has an order of 1000, therefore setting [IgnoreAntiforgeryToken] to 1001 will override it.