protected override void ApplicationStartup(TinyIoCContainer container, IPipelines pipelines) { // Enable CSRF protection at the pipeline level // to be able to use it in AuthorizationModule.cs Csrf.Enable(pipelines); base.ApplicationStartup(container, pipelines); }
/// <summary> /// Modifies our application startup to enable CSRF, and reparse thrown exceptions into messages and status codes. /// </summary> /// <remarks> /// To use this functionality, within every 'form' block, after all the inputs add '@Html.AntiForgeryToken()'. /// Then, within your POST reception, call 'this.ValidateCsrfToken();, catch the CsrfValidationException, and handle the result appropriately. /// </remarks> protected override void ApplicationStartup(TinyIoCContainer container, IPipelines pipelines) { base.ApplicationStartup(container, pipelines); Csrf.Enable(pipelines); pipelines.BeforeRequest += (ctx) => { NancyContext context = ctx as NancyContext; logger.Info(context.Request.UserHostAddress + ": " + context.Request.Url); if (Global.SystemStats.AddCall(context.Request.UserHostAddress)) { logger.Info($"Throttling a request from {context.Request.UserHostAddress}"); return(this.GenerateJsonException(new ExcessiveQueriesException(), HttpStatusCode.TooManyRequests)); } // Technically this is 7.4% over 1 MiB. I'm not going to be pedantic. int maxIterations = 12; int hundredKiB = 100 * 1024; byte[] hundredK = new byte[hundredKiB]; RequestStream requestStream = context.Request.Body; for (int i = 0; i < maxIterations; i++) { // This unfortunately means we're processing the request stream twice. if (requestStream.Read(hundredK, 0, hundredKiB) != hundredKiB) { // The request is under 1 MiB, so continue processing. Reset the stream so deserializing the JSON works. requestStream.Seek(0, SeekOrigin.Begin); return(null); } } logger.Info($"Request from {context.Request.UserHostAddress} to {context.Request.Url} over 1 MiB"); return(this.GenerateJsonException(new ExcessiveNapackException(), HttpStatusCode.BadRequest)); }; StaticConfiguration.DisableErrorTraces = false; pipelines.OnError += (context, exception) => { HttpStatusCode code = HttpStatusCode.InternalServerError; Exception parsedException = exception as Exception; if (parsedException != null) { if (!exceptionStatusCodeMapping.TryGetValue(parsedException.GetType(), out code)) { code = HttpStatusCode.InternalServerError; } } else { parsedException = new Exception("Unable to decode the detected exception!"); } logger.Warn($"Hit a {parsedException.GetType()} exception: {parsedException.Message}"); return(this.GenerateJsonException(parsedException, code)); }; }
protected override void ApplicationStartup(IKernel container, IPipelines pipelines) { base.ApplicationStartup(container, pipelines); Csrf.Enable(pipelines); pipelines.BeforeRequest.AddItemToStartOfPipeline(FlowPrincipal); pipelines.BeforeRequest.AddItemToStartOfPipeline(SetCulture); }
public Controller(string name, ControllerType controllerType, string definition, Csrf csrfProtection, bool authorise) { if (name == null) throw new ArgumentNullException("name"); if (definition == null) throw new ArgumentNullException("definition"); Name = name; ControllerType = controllerType; Definition = definition; CsrfProtection = csrfProtection; Authorise = authorise; }
protected override void ApplicationStartup(ILifetimeScope container, IPipelines pipelines) { base.ApplicationStartup(container, pipelines); //读数据库 SQLiteHelper.Init(new DirectoryInfo(Path.Combine(AppDomain.CurrentDomain.BaseDirectory, "DataBase"))); StaticConfiguration.EnableRequestTracing = true; //显示详细错误信息 StaticConfiguration.DisableErrorTraces = false; //启用AntiToken Csrf.Enable(pipelines); }
protected override void ApplicationStartup(ILifetimeScope container, IPipelines pipelines) { base.ApplicationStartup(container, pipelines); //数据库 // MYSQLHelper.ConnectionString = ConfigurationManager.ConnectionStrings["conn"].ToString(); DataAccessCenter.Load(); //请求跟踪 //StaticConfiguration.EnableRequestTracing = true;暂时不打开,性能消耗很大 //显示详细错误信息 StaticConfiguration.DisableErrorTraces = false; //启用AntiToken Csrf.Enable(pipelines); }
private async Task <bool> ValidateAntiForgeryToken() { try { await Csrf.ValidateRequestAsync(this.Context); return(true); } catch (Microsoft.AspNetCore.Antiforgery.AntiforgeryValidationException) { return(false); } }
protected override void ApplicationStartup(TinyIoCContainer container, IPipelines pipelines) { base.ApplicationStartup(container, pipelines); Conventions.StaticContentsConventions.Add(StaticContentConventionBuilder.AddDirectory("Content")); Conventions.ViewLocationConventions.Add((viewName, model, context) => "Content/Views/" + viewName); Csrf.Enable(pipelines); CookieBasedSessions.Enable(pipelines, new CookieBasedSessionsConfiguration() { Serializer = new JsonSessionSerialiser() }); }
public void Should_be_able_to_disable_csrf() { var context = new NancyContext { Request = this.request, Response = this.response }; context.Items[CsrfToken.DEFAULT_CSRF_KEY] = "TestingToken"; Csrf.Disable(this.pipelines); this.pipelines.AfterRequest.Invoke(context); this.response.Cookies.Any(c => c.Name == CsrfToken.DEFAULT_CSRF_KEY).ShouldBeFalse(); }
protected override void RequestStartup(Nancy.TinyIoc.TinyIoCContainer container, Nancy.Bootstrapper.IPipelines pipelines, NancyContext context) { base.RequestStartup(container, pipelines, context); pipelines.AfterRequest.AddItemToEndOfPipeline(ctx => ctx.Response.Headers.Add("X-FRAME-OPTIONS", "DENY")); Csrf.Enable(pipelines); var formsConfig = new FormsAuthenticationConfiguration() { RedirectUrl = "~/autenticar", UserMapper = container.Resolve <IUserMapper>() }; FormsAuthentication.Enable(pipelines, formsConfig); }
public void ValidateCsrfToken_gets_provided_token_from_request_header_if_not_present_in_form_data() { // Given var token = Csrf.GenerateTokenString(); var context = new NancyContext(); var module = new FakeNancyModule { Context = context }; // When context.Request = RequestWithHeader(CsrfToken.DEFAULT_CSRF_KEY, token); context.Request.Cookies.Add(CsrfToken.DEFAULT_CSRF_KEY, token); // Then module.ValidateCsrfToken(); }
public Controller(string name, ControllerType controllerType, string definition, Csrf csrfProtection, bool authorise) { if (name == null) { throw new ArgumentNullException("name"); } if (definition == null) { throw new ArgumentNullException("definition"); } Name = name; ControllerType = controllerType; Definition = definition; CsrfProtection = csrfProtection; Authorise = authorise; }
public CsrfFixture() { this.pipelines = new MockPipelines(); this.cryptographyConfiguration = CryptographyConfiguration.Default; var csrfStartup = new CsrfApplicationStartup( this.cryptographyConfiguration, new DefaultCsrfTokenValidator(this.cryptographyConfiguration)); csrfStartup.Initialize(this.pipelines); Csrf.Enable(this.pipelines); this.request = new FakeRequest("GET", "/"); this.optionsRequest = new FakeRequest("OPTIONS", "/"); this.response = new Response(); }
public void ValidateCsrfToken_gets_provided_token_from_form_data() { // Given var token = Csrf.GenerateTokenString(); var context = new NancyContext { Request = this.request }; var module = new FakeNancyModule { Context = context }; // When context.Request.Form[CsrfToken.DEFAULT_CSRF_KEY] = token; context.Request.Cookies.Add(CsrfToken.DEFAULT_CSRF_KEY, token); // Then module.ValidateCsrfToken(); }
protected override void ApplicationStartup(TinyIoCContainer container, IPipelines pipelines) { base.ApplicationStartup(container, pipelines); // Password hasher using PBKDF2 var saltedHash = new SaltedHash( _configuration.Encryption.SaltLength, _configuration.Encryption.HashLength, _configuration.Encryption.NumberOfIterations); container.Register <ISaltedHash, SaltedHash>(saltedHash); // Disable _Nancy DiagnosticsHook.Disable(pipelines); // Takes care of outputting the CSRF token to Cookies Csrf.Enable(pipelines); // Don't show errors when we are in release StaticConfiguration.DisableErrorTraces = !StaticConfiguration.IsRunningDebug; // Wire up flowing of OWIN user to a Nancy one pipelines.BeforeRequest.AddItemToStartOfPipeline(FlowPrincipal); // TODO: Remove dummy data //var user = new CloudEntity<User> //{ // PartitionKey = "*****@*****.**", // RowKey = "Manual", // Value = new User // { // Email = "*****@*****.**", // DisplayName = "David Cumps", // HashAndSalt = saltedHash.GetHashAndSaltString("admin") // } //}; //var tableClient = container.Resolve<CloudStorageAccount>().CreateCloudTableClient(); //tableClient.RetryPolicy = new NoRetry(); //var t = new TableStorageProvider(tableClient); //t.CreateTable("User"); //t.Insert("User", user); }
protected override void ApplicationStartup(TinyIoCContainer container, IPipelines pipelines) { base.ApplicationStartup(container, pipelines); Csrf.Enable(pipelines); this.Conventions.StaticContentsConventions.Add(StaticContentConventionBuilder.AddDirectory("moo", "Content")); CookieBasedSessions.Enable(pipelines); pipelines.AfterRequest += (ctx) => { var username = ctx.Request.Query.pirate; if (username.HasValue) { ctx.Response = new HereBeAResponseYouScurvyDog(ctx.Response); } }; }
public void Initialize() { var bootstrapper = new ConfigurableBootstrapper((cfg) => { cfg.Module <HomeModule>(); cfg.Dependency <IUserMapper>(new UsuarioMapper()); cfg.CsrfTokenValidator(new FakeCsrfTokenValidator()); cfg.ApplicationStartup((container, pipelines) => { Csrf.Enable(pipelines); var formsConfig = new FormsAuthenticationConfiguration() { RedirectUrl = "~/autenticar", UserMapper = container.Resolve <IUserMapper>() }; FormsAuthentication.Enable(pipelines, formsConfig); }); }); browser = new Browser(bootstrapper); }
public void Initialize(IPipelines pipelines) => Csrf.Enable(pipelines);
protected override void ApplicationStartup(Nancy.TinyIoc.TinyIoCContainer container, IPipelines pipelines) { base.ApplicationStartup(container, pipelines); Csrf.Disable(pipelines); }
public static string GetOrganName(Gdxj xj, GetOrganDictClass godc) { string result = string.Empty; try { AjaxCommand.Send.ContextCommandParams ccp = new AjaxCommand.Send.ContextCommandParams() { @params = godc }; string json = JsonConvert.SerializeObject(ccp, Formatting.Indented); string html = RequestHelper.GetByPostJsonWithCsrf(setting.url.QueryOrganDicUrl, json, ref xj.GdxjCookie.cookie, Csrf.GetCsrfToken(), setting.url.QueryGradeRefererUrl); ReceiveOrganNameClass receiveData = JsonConvert.DeserializeObject <ReceiveOrganNameClass>(html); if (receiveData.map != null) { result = receiveData.map.text; } } catch (Exception e) { throw (e); } return(result); }
private static ReceiveSchoolInfoClass GetSchoolInfo(Gdxj xj, string schoolID) { ReceiveSchoolInfoClass result = new ReceiveSchoolInfoClass(); GetSchoolInfoClass gsic = new GetSchoolInfoClass(schoolID); try { AjaxCommand.Send.ContextCommandParams ccp = new AjaxCommand.Send.ContextCommandParams() { @params = gsic }; string json = JsonConvert.SerializeObject(ccp, Formatting.Indented); string html = RequestHelper.GetByPostJsonWithCsrf(setting.url.QuerySchoolInfoUrl, json, ref xj.GdxjCookie.cookie, Csrf.GetCsrfToken(), setting.url.QueryGradeRefererUrl); result = JsonConvert.DeserializeObject <ReceiveSchoolInfoClass>(html); } catch (Exception e) { throw (e); } return(result); }
protected override void ApplicationStartup(ILifetimeScope container, IPipelines pipelines) { Csrf.Enable(pipelines); FruitOfTheDay.Enable(pipelines); CookieBasedSessions.Enable(pipelines); }
private static Dictionary <string, string> GetData(Gdxj xj, SendDataClass gdc) { Dictionary <string, string> result = new Dictionary <string, string>(); string url = (gdc.GetType() == typeof(GetGeneralDictClass)) ? setting.url.QueryGeneralDicUrl : setting.url.QueryForDicUrl; try { AjaxCommand.Send.ContextCommandParams ccp = new AjaxCommand.Send.ContextCommandParams() { @params = gdc }; string json = JsonConvert.SerializeObject(ccp, Formatting.Indented); string html = RequestHelper.GetByPostJsonWithCsrf(url, json, ref xj.GdxjCookie.cookie, Csrf.GetCsrfToken(), setting.url.QueryGradeRefererUrl); ReceiveDictDataClass receiveStudentData = JsonConvert.DeserializeObject <ReceiveDictDataClass>(html); receiveStudentData.rows.ForEach(r => { result.Add(r.value, r.text); }); } catch (Exception e) { throw (e); } return(result); }
protected override void ApplicationStartup(global::Nancy.TinyIoc.TinyIoCContainer container, IPipelines pipelines) { Csrf.Disable(pipelines); }
protected override void ApplicationStartup(TinyIoCContainer container, IPipelines pipelines) { container.Register <IDatabaseManager, DBStateResolver>().AsSingleton(); #if !DEBUG DiagnosticsHook.Disable(pipelines); #else StaticConfiguration.EnableRequestTracing = true; #endif redisServer = new RedisServer(LogError, LogDebug, (new RedisConfig()).Address); container.Register <RedisServer>(redisServer); var serviceId = redisServer.GenerateUniqueId().Result; container.Register <IServerConfigService, WebServerConfigService>(new WebServerConfigService(redisServer, serviceId)); sessionService = container.Resolve <SessionService>(); // CSRF that uses Redis for shared token generation. Tokens currently don't expire. Csrf.Enable(pipelines, new CryptographyConfiguration( new RijndaelEncryptionProvider(new RedisBasedKeyGenerator(redisServer)), new DefaultHmacProvider(new RedisBasedKeyGenerator(redisServer))) ); pipelines.BeforeRequest.AddItemToEndOfPipeline(ctx => { var origin = ctx.Request.Headers["Origin"].FirstOrDefault(); if (origin == null) { return(null); } var matches = corsDomains.FirstOrDefault( allowed => Regex.IsMatch(origin, "^" + allowed + "$", RegexOptions.IgnoreCase)); // No matches, so let's abort. if (matches == null) { var responseJson = (Response)"CORS not allowed."; responseJson.ContentType = "application/json"; responseJson.StatusCode = HttpStatusCode.BadRequest; return(responseJson); } return(null); }); pipelines.AfterRequest.AddItemToEndOfPipeline(ctx => { var origin = ctx.Request.Headers["Origin"].FirstOrDefault(); if (origin == null) { return; } ctx.Response.Headers.Add("Access-Control-Allow-Origin", origin); ctx.Response.Headers.Add("Access-Control-Allow-Methods", "POST,GET,DELETE,PUT,OPTIONS"); ctx.Response.Headers.Add("Access-Control-Allow-Credentials", "true"); ctx.Response.Headers.Add("Access-Control-Allow-Headers", "Accept,Origin,Content-type"); ctx.Response.Headers.Add("Access-Control-Expose-Headers", "Accept,Origin,Content-type"); }); pipelines.BeforeRequest.AddItemToEndOfPipeline(ProcessSessionAuth); pipelines.OnError += (ctx, ex) => { throw ex; }; }
public IWire EnableCsrf(IPipelines pipelines) { NancyStackWiring.ConfigurationOptions.CsrfEnabled = true; Csrf.Enable(pipelines); return(this); }