In .Net 8 with Client (WebAssembly) , Sever (AspNetCore hosted) and Shared project structure can't validate Antiforgey token
In my Sever Program.cs
builder.Services.AddControllersWithViews(options =>
{
options.Filters.Add(new AutoValidateAntiforgeryTokenAttribute());
});
builder.Services.AddAntiforgery();
app.UseRouting();
app.UseAntiforgery(); // Added this line
app.MapControllers();
///
///
app.Run();
When the client initialized for the first time or make the first API call (GET) to the server the cookies(antiforgery token) is never set why ?
To get around When the app first start I make an API call (GET) that set the cookie manually.
var tokenSet = antiforgery.GetAndStoreTokens(context);
context.Response.Cookies.Append("XSRF-TOKEN", tokenSet.RequestToken!,
new CookieOptions { HttpOnly = false });
Surprisingly, this now set the "XSRF-TOKEN" cookies along with default ".AspNetCore.Antiforgery._F6fq8lpsLA" but when I make a second POST API request(CreateOrUpdateUserAsync) the server always throws Bad Request.
[HttpPost, Route("{userId:Guid}")]
public async Task CreateOrUpdateUserAsync(Guid userId, [FromBody] UserUpdateModel updateModel, CancellationToken cancellationToken)
{
//do some database operation
}
The request header for cookies is set with both "XSRF-TOKEN" and ".AspNetCore.Antiforgery._F6fq8lpsLA"
Looks like the antiforgery is not set up properly. Can I please get some guidance on what I am missing. I am using HTTPS for my localhost.
thanks
The antiforgery token should be set when the app load and on each subsequent call the antiforgey token should automatically be attached in the the request header as cookies. The server should validate it with success if it was generated from the server other throw errors
When the client initialized for the first time or make the first API call (GET) to the server the cookies (antiforgery token) is never set why?
You can use the middleware to generate anti-forgery tokens. You can refer to this document . This way, when the client is initialized for the first time, the cookie (anti-forgery token) can be set.
After testing your code, I reproduced your problem.
My program.cs:
using Microsoft.AspNetCore.Antiforgery;
using Microsoft.AspNetCore.Mvc;
var builder = WebApplication.CreateBuilder(args);
// Add services to the container.
builder.Services.AddControllersWithViews(options =>
{
options.Filters.Add(new AutoValidateAntiforgeryTokenAttribute());
});
builder.Services.AddAntiforgery();
var app = builder.Build();
// Configure the HTTP request pipeline.
if (!app.Environment.IsDevelopment())
{
app.UseExceptionHandler("/Home/Error");
// The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
app.UseHsts();
}
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseRouting();
app.UseAuthorization();
app.MapControllerRoute(
name: "default",
pattern: "{controller=Home}/{action=Index}/{id?}");
app.Run();
My sample controller:
using Microsoft.AspNetCore.Antiforgery;
using Microsoft.AspNetCore.Mvc;
namespace WebApplication107.Controllers
{
public class AntiforgeryController : Controller
{
private readonly IAntiforgery _antiforgery;
public AntiforgeryController(IAntiforgery antiforgery)
{
_antiforgery = antiforgery;
}
[HttpGet]
public IActionResult GetToken()
{
var tokens = _antiforgery.GetAndStoreTokens(HttpContext);
Response.Cookies.Append("XSRF-TOKEN", tokens.RequestToken!,
new CookieOptions { HttpOnly = false });
return Ok(new { Message = "Antiforgery token set." });
}
[HttpPost]
public IActionResult PostData( DataModel data)
{
return Ok(new { Message = "Data processed successfully." });
}
}
public class DataModel
{
public string Data { get; set; }
}
}
When I access the get method, the request is not intercepted:
The same situation also occurred to me:
Surprisingly, this now set the "XSRF-TOKEN" cookies along with default ".AspNetCore.Antiforgery._F6fq8lpsLA" but when I make a second POST API request(CreateOrUpdateUserAsync) the server always throws Bad Request
Reason:
Because use the AutoValidateAntiforgeryTokenAttribute attribute, the attribute causes the POST operation to be protected by default, and it does not require a token to make a request using the HTTP GET method. You can refer to the document .
The GetAndStoreTokens method generates an anti-forgery token for the current HTTP context, and the Response.Cookies.Append method is used to add a new Cookie to the HTTP response., "XSRF-TOKEN" is the name of this cookie, so the generated token is added to the cookie. To verify the anti-counterfeiting token, you need to read the token from the cookie when sending the request and include it in the request header, and then configure the ASP.NET Core anti-counterfeiting token service on the server side to verify the request header.
The following is a code example :
Configure the ASP.NET Core anti-counterfeiting token service on the server side to verify the request. Here I set the request header name of the anti-forgery token to TOKEN for verification:
builder.Services.AddAntiforgery(options =>
{
options.HeaderName = "TOKEN";
options.SuppressXFrameOptionsHeader = false;
});
Get the value of XSRF-TOKEN in the get method and add the name and value of the corresponding request header:
I can successfully access the post method
Therefore, it is necessary to check whether the token is read from the cookie and included in the request header when the client sends the request, and configure the ASP.NET Core anti-counterfeiting token service on the server to verify the request header.
- Not much difference between ASP.NET Core sync and async controller actions
- Html number input handling in blazor
- Command dotnet ef not found
- Official documentation for JwtBearer middleware/configuration via appsettings.json?
- There was no runtime pack for Microsoft.AspNetCore.App available for the specified RuntimeIdentifier 'browser-wasm'
- Azure Blob Upload not working in ASP .Net Core Application
- Page has a binding model issue, along with some strange behaviour in the OnPost method
- The constraint reference 'string' could not be resolved to a type. (netcoreapp3.0)
- How to detect how long since a user's payment failed?
- How to model a target class for receiving a JSON HTML response in .NET 5
- BindRequired on DateTime
- How to override ASP.NET Core configuration array settings using environment variables
- How to disable warnings at solution level in .NET projects
- Get Current User in a component
- Frontend not available when front and back on same Web App Azure
- Dependency injection in custom attribute
- Blazor: Reference to child page displayed by RenderFragment Body
- How to predefine subscription prices and trial period?
- EF Core Many to Many Join Table with Extra Properties Not Working
- .net-core middleware return blank result
- Unable to resolve service for type 'System.String' while attempting to activate 'MyService'
- Publishing web api with swagger on IIS
- "Authorize" button not showing in Swagger UI (.NET 9)
- Migrate to .NET 9, Bad request (400) on controllers and API methods
- Add custom JwtBearerHandler to "AddMicrosoftIdentityWebApi" in .net7
- Stripe version 2 API?
- How to get view file content as plain string
- startup exception for aspnet core worker docker container attempting to set secret from env variable in Kubernetes
- Cannot resolve scoped service 'xx.IEnumerable`1[xx.IDbContextOptionsConfiguration`1[xx.ExampleDbContext]]...' after upgrading from .NET 8 to .NET 9
- Any luck in using AddMicrosoftIdentityWebApp in combination with IdentityServer4?