Esempio n. 1
0
        public async Task <IActionResult> Login([FromServices] IAntiforgery antiforgery, string name, string password, string returnUrl)
        {
            HttpContext.Response.Cookies.Append("CSRF-TOKEN", antiforgery.GetTokens(HttpContext).RequestToken, new Microsoft.AspNetCore.Http.CookieOptions {
                HttpOnly = false
            });
            var identity = new ClaimsIdentity(CookieAuthenticationDefaults.AuthenticationScheme);//一定要声明AuthenticationScheme

            identity.AddClaim(new Claim("Name", "小王"));
            await this.HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, new ClaimsPrincipal(identity));

            if (string.IsNullOrEmpty(returnUrl))
            {
                return(Content("登录成功"));
            }
            try
            {
                // 1. 使用LocalRedirect,只能跳转到本地页面,如果是跳转到外部页面,则会抛出异常。为了更友好,我们捕获异常,并跳转到我们自己的首页
                //return LocalRedirect(returnUrl);

                // 2. 当我们需要跳转自己的外部时,我们可以校验url合法性,再决定是否可以跳转
                var uri = new Uri(returnUrl);
                return(Redirect(returnUrl));
            }
            catch
            {
                return(Redirect("/"));
            }
        }
Esempio n. 2
0
        public AntiForgeryDataModel GetAntiForgeryData()
        {
            AntiForgeryDataModel data = new AntiForgeryDataModel
            {
                AntiForgeryHeader = "",
                AntiForgeryToken  = ""
            };

            try
            {
                var tokens = _antiforgery.GetTokens(Request.HttpContext);
                data.AntiForgeryHeader = tokens.HeaderName;
                data.AntiForgeryToken  = tokens.RequestToken;
                if (!string.IsNullOrEmpty(tokens.CookieToken))
                {
                    Response.Cookies.Append("CSRF-TOKEN", tokens.CookieToken);
                }
                Response.Headers.Add("Cache-control", "no-cache");
                Response.Headers.Add("X-Frame-Options", "SAMEORIGIN");
                Response.Headers.Add("Pragma", "no-cache");

                return(data);
            }
            catch (Exception ex)
            {
                _logger.LogError(ex, $"{nameof(GetAntiForgeryData)} => FAIL");
            }

            return(data);
        }
Esempio n. 3
0
        public async Task <IActionResult> Login([FromServices] IAntiforgery antiforgery, string name, string password, string returnUrl)
        {
            HttpContext.Response.Cookies.Append("CSRF-TOKEN", antiforgery.GetTokens(HttpContext).RequestToken, new Microsoft.AspNetCore.Http.CookieOptions {
                HttpOnly = false
            });
            var identity = new ClaimsIdentity(CookieAuthenticationDefaults.AuthenticationScheme);//一定要声明AuthenticationScheme

            identity.AddClaim(new Claim("Name", "小王"));
            await this.HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, new ClaimsPrincipal(identity));

            if (string.IsNullOrEmpty(returnUrl))
            {
                return(Content("登录成功"));
            }
            try
            {
                var uri = new Uri(returnUrl);
                ///uri.Host
                return(Redirect(returnUrl));
            }
            catch
            {
                return(Redirect("/"));
            }
            //return Redirect(returnUrl);
        }
Esempio n. 4
0
        public void OnGet()
        {
            var token = _antiForgeryService.GetTokens(HttpContext).RequestToken;

            HttpContext.Response.Cookies.Append("XSRF-TOKEN", token, new CookieOptions {
                HttpOnly = false
            });
        }
Esempio n. 5
0
    public IActionResult GetToken()
    {
        var token = _antiForgeryService.GetTokens(HttpContext).RequestToken;

        HttpContext.Response.Cookies.Append("XSRF-TOKEN", token, new CookieOptions {
            HttpOnly = false
        });
        return(new StatusCodeResult(StatusCodes.Status200OK));
    }
Esempio n. 6
0
        public IActionResult Index()
        {
            if (User.Identity.IsAuthenticated)
            {
                ViewData["user"] = JsonHelper.Serialize(new
                {
                    userName = User.Identity.Name,
                    userType = User.GetUserRole()
                });
                ViewData["xpt"] = XsrfToXpt(_antiforgery.GetTokens(HttpContext));
            }

            return(View());
        }
Esempio n. 7
0
        public async Task Invoke(HttpContext context)
        {
            if (_scriptOptions.AllowWhen != null &&
                !_scriptOptions.AllowWhen(context, _serviceProvider))
            {
                context.Response.StatusCode = (int)HttpStatusCode.Forbidden;
                return;
            }
            if (context.Request.Method != HttpMethods.Get)
            {
                context.Response.StatusCode = (int)HttpStatusCode.MethodNotAllowed;
                return;
            }

            var tokenSet = _antiforgery.GetTokens(context);

            if (!string.IsNullOrEmpty(tokenSet.CookieToken))
            {
                var cookieOp = _antiforgeryOptions.Value.Cookie.Build(context);
                context.Response.Cookies.Append(_antiforgeryOptions.Value.Cookie.Name, tokenSet.CookieToken, cookieOp);
            }
            context.Response.ContentType = "application/javascript; charset=utf-8";
            context.Response.Headers["Cache-control"] = "no-store";
            context.Response.Headers["Pragma"]        = "no-cache";

            // writes the hidden token field if on a page with same origin as script
            var bodyScript = $@"(function appendToken(){{
if(window.location.origin==='{GetOrigin(context.Request)}'){{
if(document.body){{
var input = document.createElement('input')
input.setAttribute('type', 'hidden')
input.setAttribute('name', '{tokenSet.FormFieldName}')
input.setAttribute('value', '{tokenSet.RequestToken}')
document.body.appendChild(input)
}}else{{window.requestAnimationFrame(appendToken)}}
}}}})()";

            await context.Response.WriteAsync(bodyScript, Encoding.UTF8);
        }
Esempio n. 8
0
        public async Task <IActionResult> Index()
        {
            if (User.Identity.IsAuthenticated)
            {
                var user = await _userManager.GetUserAsync(User);

                if (user != null)
                {
                    var roles = await _userManager.GetRolesAsync(user);

                    ViewData["User"] = JsonConvert.SerializeObject(new
                    {
                        user.UserName,
                        UserRole = roles.FirstOrDefault()
                    });
                    ViewData["xpt"] = XsrfToXpt(_xsrf.GetTokens(HttpContext));
                }
            }

            ViewData["Mobile"] = Utils.IsMobileBrowser(Request.Headers["User-Agent"].ToString());

            return(View());
        }
Esempio n. 9
0
        // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
        public void Configure(IApplicationBuilder app, IHostingEnvironment env, IHangfireScheduler hangfire, IAntiforgery antiforgery)
        {
            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
            }
            else
            {
                app.UseExceptionHandler("/Home/Error");
            }

            app.UseStaticFiles();
            app.UseCookiePolicy();
            app.UseHangfireServer();
            app.UseAuthentication();

            env.ConfigureNLog("NLog.config");

            var arrOrigins = Configuration.GetSection("CORSUrls");
            var arrCors    = arrOrigins.Get <List <string> >();

            app.UseCors(options =>
            {
                options.AllowCredentials();
                options.AllowAnyHeader();
                options.AllowAnyMethod();
                options.WithOrigins(arrCors.ToArray());
            });

            app.UseStatusCodePages(async context => {
                var response = context.HttpContext.Response;
                if (response.StatusCode == (int)HttpStatusCode.Unauthorized && context.HttpContext.Request.ContentType != "application/json")
                {
                    response.Redirect("/login");
                }
            });

            app.UseHangfireDashboard("/hangfire", new DashboardOptions {
                Authorization = new[] { new HangfireAuth() }, AppPath = "/home"
            });
            hangfire.Register();

            app.Use(next => context =>
            {
                var tokens = antiforgery.GetTokens(context);
                if (tokens.CookieToken != null)
                {
                    context.Response.Cookies.Append("X-CSRF-TOKEN", tokens.CookieToken);
                }
                context.Response.Cookies.Append(tokens.HeaderName, tokens.RequestToken);
                return(next(context));
            });

            app.UseMvc(routes =>
            {
                routes.MapRoute(
                    name: "default",
                    template: "{controller=Login}/{action=Index}/{id?}");
                routes.MapRoute(
                    name: "areas",
                    template: "{area:exists}/{controller=Home}/{action=Index}/{id?}/{id1?}/{id2?}"
                    );
            });
        }
Esempio n. 10
0
        public IActionResult GetAntiForgeryToken()
        {
            var tokenSet = antiForgery.GetTokens(HttpContext);

            return(Ok(new { requestToken = tokenSet.RequestToken, header = tokenSet.HeaderName, cookieToken = tokenSet.CookieToken }));
        }