public override void OnActionExecuted([NotNull] ActionExecutedContext context) { IAntiforgery antiForgery = context.HttpContext.RequestServices.GetService<IAntiforgery>(); // We can send the request token as a JavaScript-readable cookie, // and Angular will use it by default. AntiforgeryTokenSet tokens = antiForgery?.GetAndStoreTokens(context.HttpContext); if (tokens?.RequestToken == null) return; context.HttpContext.Response.Cookies.Append(essentialMix.Web.CookieNames.AntiForgeryToken, tokens.RequestToken, new CookieOptions { HttpOnly = false }); }
// /// <summary> /// This method gets called by the runtime. Use this method to configure the HTTP request pipeline. /// configures the app to provide XSRF-TOKEN /// Read More : [https://docs.microsoft.com/en-us/aspnet/core/security/anti-request-forgery] /// </summary> /// <param name="app"></param> /// <param name="antiforgery"></param> /// <param name="env"></param> public void Configure(IApplicationBuilder app, IAntiforgery antiforgery, IHostingEnvironment env) { if (env.IsDevelopment()) { app.UseDeveloperExceptionPage(); app.UseWebpackDevMiddleware(new WebpackDevMiddlewareOptions { HotModuleReplacement = true }); } else { app.UseExceptionHandler("/Home/Error"); } // Configure your app to provide a token in a cookie called XSRF-TOKEN app.Use(next => _context => { string path = _context.Request.Path.Value; if ( path.Contains("/api") ) { // We can send the request token as a JavaScript-readable cookie, // and Angular will use it by default. var tokens = antiforgery.GetAndStoreTokens(_context); _context.Response.Cookies.Append("XSRF-TOKEN", tokens.RequestToken, new CookieOptions() { HttpOnly = false }); } return(next(_context)); }); app.UseStaticFiles(); app.UseMvc(routes => { routes.MapRoute( name: "default", template: "{controller=Home}/{action=Index}/{id?}"); routes.MapSpaFallbackRoute( name: "spa-fallback", defaults: new { controller = "Home", action = "Index" }); }); }
public void Configure(IApplicationBuilder app, IAntiforgery antiforgery, TodoRepository repository) { app.Use(next => context => { if ( string.Equals(context.Request.Path.Value, "/", StringComparison.OrdinalIgnoreCase) || string.Equals(context.Request.Path.Value, "/index.html", StringComparison.OrdinalIgnoreCase)) { // We can send the request token as a JavaScript-readable cookie, and Angular will use it by default. var tokens = antiforgery.GetAndStoreTokens(context); context.Response.Cookies.Append("XSRF-TOKEN", tokens.RequestToken, new CookieOptions() { HttpOnly = false }); } return(next(context)); }); app.UseDefaultFiles(); app.UseStaticFiles(); app.Map("/api/items", a => a.Run(async context => { if (string.Equals("GET", context.Request.Method, StringComparison.OrdinalIgnoreCase)) { var items = repository.GetItems(); await context.Response.WriteAsync(JsonConvert.SerializeObject(items)); } else if (string.Equals("POST", context.Request.Method, StringComparison.OrdinalIgnoreCase)) { // This will throw if the token is invalid. await antiforgery.ValidateRequestAsync(context); var serializer = new JsonSerializer(); using (var reader = new JsonTextReader(new StreamReader(context.Request.Body))) { var item = serializer.Deserialize <TodoItem>(reader); repository.Add(item); } context.Response.StatusCode = (int)HttpStatusCode.NoContent; } })); }
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline. public void Configure(IApplicationBuilder app, IHostingEnvironment env, IAntiforgery antiforgery) { if (env.IsDevelopment()) { app.UseDeveloperExceptionPage(); //app.UseBrowserLink(); } else { app.UseExceptionHandler("/Error"); } app.UseStaticFiles(); app.UseIdentityServer(); JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear(); // Preceding code ommitted. app.UseCors(builder => builder .AllowAnyOrigin() .AllowAnyMethod() .AllowAnyHeader() .AllowCredentials()); app.Use(next => context => { string path = context.Request.Path.Value; // The request token can be sent as a JavaScript-readable cookie, // and Angular uses it by default. var tokens = antiforgery.GetAndStoreTokens(context); context.Response.Cookies.Append("XSRF-TOKEN", tokens.RequestToken, new CookieOptions() { HttpOnly = false }); return(next(context)); }); app.UseMvc(routes => { routes.MapRoute( name: "default", template: "{controller=Home}/{action=Index}/{id?}"); }); }
public Task Invoke(HttpContext httpContext) { if (httpContext.Request.Path.HasValue) { var token = _antiForgeryService.GetAndStoreTokens(httpContext); httpContext.Response.Cookies.Append( "cac-id", token.RequestToken, new CookieOptions { HttpOnly = false, Secure = false, SameSite = SameSiteMode.Strict }); } return(_next(httpContext)); }
public static IHtmlContent GetHtml(this IAntiforgery antiforgery, HttpContext httpContext) { if (antiforgery == null) { throw new ArgumentNullException(nameof(antiforgery)); } if (httpContext == null) { throw new ArgumentNullException(nameof(httpContext)); } var tokenSet = antiforgery.GetAndStoreTokens(httpContext); return(new InputContent(tokenSet)); }
public override void OnResultExecuting(ResultExecutingContext context) { base.OnResultExecuting(context); if (!context.Cancel) { var tokens = antiforgery.GetAndStoreTokens(context.HttpContext); context.HttpContext.Response.Cookies.Append( CookieName, tokens.RequestToken, new CookieOptions { HttpOnly = false }); } }
public async Task <bool> Post() { await m_signInManager.SignOutAsync(); //We must update the anti-forgery token as the token is bound to the logged in user //https://github.com/aspnet/Antiforgery/issues/93 //Remove the user as we are logging off m_httpContextAccessor.HttpContext.User = null; //Now generate a new token var tokens = m_antiforgery.GetAndStoreTokens(m_httpContextAccessor.HttpContext); m_httpContextAccessor.HttpContext.Response.Cookies.Append("XSRF-TOKEN", tokens.RequestToken); return(true); }
public static void AddAntiforgeryCookies(this IAntiforgery antiforgery, HttpContext context) { AntiforgeryTokenSet tokenSet = antiforgery.GetAndStoreTokens(context); context. Response. Cookies. Append( "XSRF-TOKEN", tokenSet.RequestToken, new CookieOptions() { // Allows client side scripts to access cookie HttpOnly = false }); }
public async Task <JsonResult> GetAuthSession() { return(await _apiResponseHelper.RunWithResultAsync(async() => { var member = await _domainRepository.ExecuteQueryAsync(new GetCurrentMemberSummaryQuery()); var token = _antiforgery.GetAndStoreTokens(HttpContext); var sessionInfo = new { Member = member, AntiForgeryToken = token.RequestToken }; return sessionInfo; })); }
public void Configure(IApplicationBuilder app, IHostingEnvironment env, DataContext context, IdentityDataContext identityContext, UserManager <IdentityUser> userManager, RoleManager <IdentityRole> roleManager, IAntiforgery antiforgery) { //app.UseDeveloperExceptionPage(); //app.UseWebpackDevMiddleware(new WebpackDevMiddlewareOptions { // HotModuleReplacement = true //}); app.UseStaticFiles(); app.UseSession(); app.UseAuthentication(); app.Use(nextDelegate => requestContext => { if (requestContext.Request.Path.StartsWithSegments("/api") || requestContext.Request.Path.StartsWithSegments("/")) { requestContext.Response.Cookies.Append("XSRF-TOKEN", antiforgery.GetAndStoreTokens(requestContext).RequestToken); } return(nextDelegate(requestContext)); }); app.UseMvc(routes => { routes.MapRoute( name: "default", template: "{controller=Home}/{action=Index}/{id?}"); routes.MapSpaFallbackRoute("angular-fallback", new { controller = "Home", action = "Index" }); }); if ((Configuration["INITDB"] ?? "false") == "true") { System.Console.WriteLine("Preparing Database..."); context.Database.Migrate(); SeedData.SeedDatabase(context); identityContext.Database.Migrate(); IdentitySeedData.SeedDatabase(identityContext, userManager, roleManager).GetAwaiter().GetResult(); System.Console.WriteLine("Database Preparation Complete"); System.Environment.Exit(0); } }
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline. public void Configure(IApplicationBuilder app, IHostingEnvironment env, IAntiforgery antiforgery) { if (env.IsDevelopment()) { app.UseBrowserLink(); app.UseDeveloperExceptionPage(); //app.UseWebpackDevMiddleware(new WebpackDevMiddlewareOptions //{ // HotModuleReplacement = true //}); } else { app.UseExceptionHandler("/Home/Error"); } app.UseMyMiddleware(); //app.UseHttpsRedirection(); app.UseStaticFiles(); app.UseForwardedHeaders(new ForwardedHeadersOptions { ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto }); //add authentication app.UseAuthentication(); app.Use(async(context, next) => { // XSRF-TOKEN used by angular in the $http if provided var tokens = antiforgery.GetAndStoreTokens(context); context.Response.Cookies.Append("XSRF-TOKEN", tokens.RequestToken); await next(); }); app.UseMvc(routes => { routes.MapRoute( name: "default", template: "{controller=Home}/{action=IndexPage}/{id?}"); //template: "{controller=Home}/{action=Index}/{id?}"); routes.MapSpaFallbackRoute( name: "spa-fallback", defaults: new { controller = "Home", action = "IndexPage" }); }); }
public void OnGet() { AntiForgeryToken = _antiforgery.GetAndStoreTokens(HttpContext).RequestToken; if (_configuration.GetSection("Runtime").Exists()) { Runtime = _configuration.GetSection("Runtime").Value; } if (Runtime != "WebAssembly" && _configuration.GetSection("RenderMode").Exists()) { RenderMode = (RenderMode)Enum.Parse(typeof(RenderMode), _configuration.GetSection("RenderMode").Value, true); } var assemblies = AppDomain.CurrentDomain.GetOqtaneAssemblies(); foreach (Assembly assembly in assemblies) { ProcessHostResources(assembly); ProcessModuleControls(assembly); ProcessThemeControls(assembly); } // if framework is installed if (!string.IsNullOrEmpty(_configuration.GetConnectionString("DefaultConnection"))) { var alias = _tenantManager.GetAlias(); if (alias != null) { // if culture not specified if (HttpContext.Request.Cookies[CookieRequestCultureProvider.DefaultCookieName] == null) { // set default language for site if the culture is not supported var languages = _languages.GetLanguages(alias.SiteId); if (languages.Any() && languages.All(l => l.Code != CultureInfo.CurrentUICulture.Name)) { var defaultLanguage = languages.Where(l => l.IsDefault).SingleOrDefault() ?? languages.First(); SetLocalizationCookie(defaultLanguage.Code); } else { SetLocalizationCookie(_localizationManager.GetDefaultCulture()); } } } } }
public async Task Invoke(HttpContext context, IAntiforgery antiforgery) { if (httpVerbs.Contains(context.Request.Method, StringComparer.OrdinalIgnoreCase)) { if (context.User.Identity.IsAuthenticated) { var tokens = antiforgery.GetAndStoreTokens(context); context.Response.Cookies.Append(requestTokenCookieName, tokens.RequestToken, new CookieOptions() { HttpOnly = false }); } } await next.Invoke(context); }
public IActionResult GetAntiForgeryToken() { var tokens = _antiForgery.GetAndStoreTokens(HttpContext); Response.Cookies.Append("XSRF-REQUEST-TOKEN", tokens.RequestToken, new Microsoft.AspNetCore.Http.CookieOptions { HttpOnly = false, Secure = true }); return(NoContent()); //return Ok(new //{ // token = tokens.RequestToken, // tokenName = tokens.HeaderName //}, InfoMessages.CommonInfoMessage); }
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline. public void Configure(IApplicationBuilder app, IWebHostEnvironment env, IAntiforgery antiforgery) { if (env.IsDevelopment()) { app.UseDeveloperExceptionPage(); } app.UseStaticFiles(); if (!env.IsDevelopment()) { app.UseSpaStaticFiles(); } app.Use((context, next) => { // return current accessed path string path = context.Request.Path.Value; if (path.IndexOf("/api/", StringComparison.OrdinalIgnoreCase) != -1) { var tokens = antiforgery.GetAndStoreTokens(context); context.Response.Cookies.Append("XSRF-TOKEN", tokens.RequestToken, new CookieOptions() { HttpOnly = false }); } return(next()); }); app.UseRouting(); app.UseEndpoints(endpoints => { endpoints.MapDefaultControllerRoute(); }); app.UseSpa(spa => { spa.Options.SourcePath = "ClientApp"; if (env.IsDevelopment()) { spa.UseAngularCliServer(npmScript: "start"); } }); }
public async void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory, IAntiforgery antiforgery) { loggerFactory.AddConsole(Configuration.GetSection("Logging")); loggerFactory.AddDebug(); // app.UseDeveloperExceptionPage(); // app.UseWebpackDevMiddleware(new WebpackDevMiddlewareOptions { // HotModuleReplacement = true // }); app.UseStaticFiles(); app.UseSession(); app.UseIdentity(); app.Use(nextDelegate => context => { if (context.Request.Path.StartsWithSegments("/api") || context.Request.Path.StartsWithSegments("/")) { context.Response.Cookies.Append("XSRF-TOKEN", antiforgery.GetAndStoreTokens(context).RequestToken); } return(nextDelegate(context)); }); app.UseMvc(routes => { routes.MapRoute( name: "default", template: "{controller=Home}/{action=Index}/{id?}"); routes.MapSpaFallbackRoute("angular-fallback", new { controller = "Home", action = "Index" }); }); if ((Configuration["INITDB"] ?? "false") == "true") { System.Console.WriteLine("Preparing Database..."); SeedData.SeedDatabase(app.ApplicationServices .GetRequiredService <DataContext>()); await IdentitySeedData.SeedDatabase(app); System.Console.WriteLine("Database Preparation Complete"); System.Environment.Exit(0); } }
/// <summary> /// Adds an antiforgery cookie to the response. /// </summary> /// <param name="app">Application builder instance.</param> /// <param name="antiforgery">Antiforgery service.</param> /// <param name="cookieName">Name of the cookie where the token will be added.</param> public static void UseAntiforgeryCookieMiddleware(this IApplicationBuilder app, IAntiforgery antiforgery, string cookieName = "XSRF-TOKEN") { app.Use(async(context, next) => { var tokens = antiforgery.GetAndStoreTokens(context); context.Response.Cookies.Append(cookieName, tokens.RequestToken, new CookieOptions() { HttpOnly = false }); await next(); }); }
public async Task InvokeAsync(HttpContext context) { string path = context.Request.Path.Value; if (string.Equals(path, "/admin-board", StringComparison.OrdinalIgnoreCase)) { // The request token can be sent as a JavaScript-readable cookie, // and Angular uses it by default. // angular 会自动将 cookie 中 XSRF-TOKEN 的防伪内容在请求时自动加在 X-XSRF-TOKEN 请求头上 // 服务器接受到请求时会进行防伪检查,在 LOPController 的特性 [AutoValidateAntiforgeryToken] 中指定 // 若不需要进行防伪检查,可在不需要检查的控制器上添加特性 [IgnoreAntiforgeryToken] var tokens = _antiforgery.GetAndStoreTokens(context); context.Response.Cookies.Append("XSRF-TOKEN", tokens.RequestToken); } await _next(context); }
/// <summary> /// The request token can be sent as a JavaScript-readable cookie, /// </summary> /// <param name="httpContext">current context</param> public void SetAntiForgeryCookie(HttpContext httpContext) { if (httpContext == null) { return; } var tokens = _antiForgery.GetAndStoreTokens(httpContext); httpContext.Response.Cookies.Append( "X-XSRF-TOKEN", tokens.RequestToken, new CookieOptions() { HttpOnly = false, // need to be false, is needed by the javascript front-end SameSite = SameSiteMode.Lax, Secure = httpContext.Request.IsHttps }); }
protected override object Handle(Query request) { try { var tokens = _antiforgery.GetAndStoreTokens(request.HttpContext); return(new { token = tokens.RequestToken, tokenName = tokens.HeaderName }); } catch (Exception e) { Console.WriteLine(e); throw; } }
/// <summary> /// Invokes the specified context. /// </summary> /// <param name="context">The context.</param> /// <returns></returns> public async Task Invoke(HttpContext context) { var tokens = _antiAntiforgery.GetAndStoreTokens(context); var antiForgeryCookieOption = new CookieOptions { HttpOnly = false, SameSite = SameSiteMode.None }; if (_securityConfiguration.CookieDomain != null) { antiForgeryCookieOption.Domain = _securityConfiguration.CookieDomain; } context.Response.Cookies.Append(AntiForgeryRequestToken, tokens.RequestToken, antiForgeryCookieOption); await _next(context); }
public async Task <IActionResult> Authenticate([FromBody] LoginViewModel loginViewModel) { var user = await _usersService.Authenticate(loginViewModel); if (user == null) { return(BadRequest(new { message = "Username or password is incorrect" })); } HttpContext.User = await _applicationSignInManager.CreateUserPrincipalAsync(user); var tokens = _antiforgery.GetAndStoreTokens(HttpContext); Response.Headers.Add("Access-Control-Expose-Headers", "XSRF-REQUEST-TOKEN"); Response.Headers.Add("XSRF-REQUEST-TOKEN", tokens.RequestToken); return(Ok(user)); }
public ActionResult <AuthInfoModel> GetInfo() { var tokens = _antiForgery.GetAndStoreTokens(HttpContext); HttpContext.Response.Cookies.Append( "XSRF-TOKEN", tokens.RequestToken, new CookieOptions() { HttpOnly = false }); //allow JS to grab the cookie to put it in the request header return(new AuthInfoModel { Name = User.FindFirst("name").Value }); }
public override void OnResultExecuting(ResultExecutingContext context) { var statusCodeReExecuteFeature = context.HttpContext.Features.Get <IStatusCodeReExecuteFeature>(); //Reissue antiforgery cookies for follow cases: //- when is requested only an ASP.NET View. Since set cookies for each requests such Assets or file resources can leads to stop working the output cache middleware for that controllers //- when there are no errors or inner status codes ReExecute occurs (404, 500 etc) (IStatusCodeReExecuteFeature is presents). Since this can leads for reissue an antiforgery cookies .AspNetCore.Antiforgery without AspNetCore.Identity.Application //that can leads for 400 errors for antiforgery validation due to different User and passed antiforgery tokens from cookies and request headers or form field if (context.Result is ViewResult viewResult && statusCodeReExecuteFeature == null) { var tokens = antiforgery.GetAndStoreTokens(context.HttpContext); context.HttpContext.Response.Cookies.Append("XSRF-TOKEN", tokens.RequestToken, new CookieOptions() { HttpOnly = false, IsEssential = true }); } }
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory, IAntiforgery antiforgery) { loggerFactory.AddConsole(Configuration.GetSection("Logging")); loggerFactory.AddDebug(); app.UseApplicationInsightsRequestTelemetry(); app.UseApplicationInsightsExceptionTelemetry(); app.UseCors("AllowFromAll"); // Add proper support for XSRF token (cookies) app.Use(next => context => { if (context.Request.Path.Value.StartsWith("/api", StringComparison.OrdinalIgnoreCase)) { var tokens = antiforgery.GetAndStoreTokens(context); context.Response.Cookies.Append("XSRF-TOKEN", tokens.RequestToken, new CookieOptions() { HttpOnly = false }); } return(next(context)); }); app.UseDefaultFiles(); //app.UseStaticFiles(); app.UseMvc(); app.UseSwaggerGen(); app.UseSwaggerUi(); if (env.IsDevelopment()) { // Ensure default data is available during development. using (var serviceScope = app.ApplicationServices.GetRequiredService <IServiceScopeFactory>().CreateScope()) { serviceScope.ServiceProvider.GetService <AwesomeContext>().EnsureSeedData(); } } }
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline. public void Configure(IApplicationBuilder app, IHostingEnvironment env, IAntiforgery antiforgery) { if (env.IsDevelopment()) { app.UseDeveloperExceptionPage(); } else { app.UseExceptionHandler("/Home/Error"); app.UseHsts(); } //add antiforgery token to cookies app.Use(next => context => { if ( string.Equals(context.Request.Path.Value, "/", StringComparison.OrdinalIgnoreCase) || string.Equals(context.Request.Path.Value, "/index", StringComparison.OrdinalIgnoreCase)) { var token = antiforgery.GetAndStoreTokens(context); context.Response.Cookies.Append("X-XSRF-TOKEN", token.RequestToken, new CookieOptions { HttpOnly = false }); } return(next(context)); }); app.UseHttpsRedirection(); app.UseStaticFiles(); app.UseAuthentication();//add authentication module app.UseCookiePolicy(); app.UseSession(); app.UseMvc(routes => { routes.MapRoute( name: "default", template: "{controller=Home}/{action=Index}/{id?}"); }); }
public Task Invoke(HttpContext context) { var path = context.Request.Path.Value; if (path != null && !path.StartsWith("/api/", StringComparison.OrdinalIgnoreCase)) { var tokens = _antiforgery.GetAndStoreTokens(context); context.Response.Cookies.Append( key: "XSRF-TOKEN", value: tokens.RequestToken, options: new CookieOptions { HttpOnly = false // Now JavaScript is able to read the cookie }); } return(_next(context)); }
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline. public void Configure( IApplicationBuilder app, IWebHostEnvironment env, IAntiforgery antiforgery, IServiceProvider services) { dataStartup.Configure(app, env); identityStartup.Configure(app, env, services); apiStartup.Configure(app, env); app.UseForwardedHeaders(new ForwardedHeadersOptions { ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto }); app.UseAuthentication(); app.Use(next => context => { string path = context.Request.Path.Value; if (path.ToLower().Contains("/account")) { // if ( // string.Equals(path, "/", StringComparison.OrdinalIgnoreCase) || // string.Equals(path, "/index.html", StringComparison.OrdinalIgnoreCase)) { // The request token can be sent as a JavaScript-readable cookie, // and Angular uses it by default. var tokens = antiforgery.GetAndStoreTokens(context); context.Response.Cookies.Append("XSRF-TOKEN", tokens.RequestToken, new CookieOptions() { HttpOnly = false }); } return(next(context)); } ); app.UseHttpsRedirection(); // app.UseMiddleware<AntiForgeryMiddleware>("XSRF-TOKEN"); app.UseJwtTokenMiddleware(); app.UseCookiePolicy(); app.UseGraphiQl(); }
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline. public void Configure(IApplicationBuilder app, IWebHostEnvironment env, IAntiforgery antiforgery) { app.UseResponseCompression(); if (env.IsDevelopment()) { //app.UseBrowserLink(); app.UseDeveloperExceptionPage(); //app.UseDatabaseErrorPage(); } else { app.UseExceptionHandler("/Home/Error"); // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts. app.UseHsts(); } app.UseHttpsRedirection(); app.UseStaticFiles(); app.UseAuthentication(); app.Use(next => context => { if (context.Request.Method == "GET") { var tokens = antiforgery.GetAndStoreTokens(context); context.Response.Cookies.Append("XSRF-TOKEN", tokens.RequestToken, new CookieOptions { HttpOnly = false }); } return(next(context)); }); app.UseMvc(routes => { routes.MapRoute(name: "default", template: "{controller}/{action}/{id?}"); }); app.UseCookiePolicy(); app.UseBlazor <BlazorApplication1.Client.Startup>(); }
public void Configure(IApplicationBuilder app, IAntiforgery antiforgery, IOptions<AntiforgeryOptions> options, TodoRepository repository) { app.Use(next => context => { if ( string.Equals(context.Request.Path.Value, "/", StringComparison.OrdinalIgnoreCase) || string.Equals(context.Request.Path.Value, "/index.html", StringComparison.OrdinalIgnoreCase)) { // We can send the request token as a JavaScript-readable cookie, and Angular will use it by default. var tokens = antiforgery.GetAndStoreTokens(context); context.Response.Cookies.Append("XSRF-TOKEN", tokens.RequestToken, new CookieOptions() { HttpOnly = false }); } return next(context); }); app.UseDefaultFiles(); app.UseStaticFiles(); app.Map("/api/items", a => a.Run(async context => { if (string.Equals("GET", context.Request.Method, StringComparison.OrdinalIgnoreCase)) { var items = repository.GetItems(); await context.Response.WriteAsync(JsonConvert.SerializeObject(items)); } else if (string.Equals("POST", context.Request.Method, StringComparison.OrdinalIgnoreCase)) { // This will throw if the token is invalid. await antiforgery.ValidateRequestAsync(context); var serializer = new JsonSerializer(); using (var reader = new JsonTextReader(new StreamReader(context.Request.Body))) { var item = serializer.Deserialize<TodoItem>(reader); repository.Add(item); } context.Response.StatusCode = 204; } })); }