//[ValidateAntiForgeryToken] public async Task <IActionResult> Add(string model) { if (!await _antiForgery.IsRequestValidAsync(Request.HttpContext)) { return(new StatusCodeResult(401)); } if (!Request.Cookies.ContainsKey("sid") || !_sessionService.IsValid(Request.Cookies["sid"])) { return(new StatusCodeResult(401)); } var twit = new TwitModel() { Text = model, Time = DateTime.Now, Username = _sessionService.GetName(Request.Cookies["sid"]) }; using (var db = new AppDbContext()){ db.Twits.Add(twit); db.SaveChanges(); } return(RedirectToAction("Twits", "Public")); }
public void Configure(IApplicationBuilder app, IAntiforgery antiforgery, ILoggerFactory loggerFactory) { app.UseAuthentication(); app.Use(async(context, next) => { var logger = loggerFactory.CreateLogger("ValidRequestMW"); //Don't validate POST for login if (context.Request.Path.Value.Contains("login")) { await next(); return; } logger.LogInformation(context.Request.Cookies["XSRF-TOKEN"]); logger.LogInformation(context.Request.Headers["x-XSRF-TOKEN"]); //On POST requests it will validate the XSRF header if (!await antiforgery.IsRequestValidAsync(context)) { /**************************************************** * * * For some reason when the cookie and the header are sent in on the /create POST this validation always fails * * ***************************************************/ context.Response.StatusCode = 401; logger.LogError("INVALID XSRF TOKEN"); return; } await next(); }); app.UseRouter(r => { r.MapGet("", async context => { await context.Response.WriteAsync("hello world"); }); //This returns a XSRF-TOKEN cookie //Client will take this value and add it as a X-XSRF-TOKEN header and POST to /create r.MapPost("login", async(context) => { antiforgery.SetCookieTokenAndHeader(context); context.Response.Redirect("/"); }); //If XSRF validaiton is correct we should hit this route r.MapPost("create", async context => { context.Response.StatusCode = 201; await context.Response.WriteAsync("Created"); }); }); }
public override async Task <ActivityExecutionResult> ExecuteAsync(WorkflowExecutionContext workflowContext, ActivityContext activityContext) { if (await _antiforgery.IsRequestValidAsync(_httpContextAccessor.HttpContext)) { return(Outcomes("Done", "Valid")); } else { return(Outcomes("Done", "Invalid")); } }
public async Task Invoke(HttpContext httpContext) { var validatedRequest = await _antiforgery.IsRequestValidAsync(httpContext); if (validatedRequest) { await _next(httpContext); } else { httpContext.Response.StatusCode = 400; } }
public void OnResourceExecuting(ResourceExecutingContext context) { var isJwtClient = _httpContextAccessor.HttpContext.Request.Headers["Authorization"].ToString().StartsWith("Bearer "); if (!isJwtClient)// && !_webHostEnvironment.IsFrontDevMode()) { bool isRequestValid = _antiforgery.IsRequestValidAsync(context.HttpContext).Result; if (!isRequestValid) { throw new AntiforgeryValidationException(string.Empty); } //_antiforgery.ValidateRequestAsync(context.HttpContext); //no idea why this is not throwing an exception when NO token is provided } }
public async Task Invoke(HttpContext context) { if (context.Request.Path.Value == "/" || IsLogin(context) || IsLogout(context)) { var tokens = _antiforgery.GetAndStoreTokens(context); context.Response.Cookies.Append("XSRF-TOKEN", tokens.RequestToken, new CookieOptions() { HttpOnly = false, Secure = true }); } var valid = await _antiforgery.IsRequestValidAsync(context); if (valid) { await _next.Invoke(context); } }
protected bool ParseAntiForgeryHeader(IAntiforgery antiforgery, CrudMessagesDto dto, HttpContext httpContext) { //foreach(var header in httpContext.Request.Headers) //{ // System.Diagnostics.Trace.WriteLine(header.ToString()); //} var task = antiforgery.IsRequestValidAsync(httpContext); task.Wait(); var validRequest = task.Result; if (!validRequest) { dto.ErrorMessage = "Broken antiforgery"; return(false); } return(true); }
public async Task InvokeAsync( HttpContext context, IAntiforgery antiforgery, ILogger <AntiforgeryMiddleware> logger, IOptions <AntiforgeryConfiguration> configuration) { AntiforgeryLogMessages.RequestValidating(logger, context); var isRequestValid = await antiforgery.IsRequestValidAsync(context); if (!isRequestValid) { AntiforgeryLogMessages.RequestValidationFailed(logger); context.Response.StatusCode = StatusCodes.Status400BadRequest; context.Response.ContentType = System.Net.Mime.MediaTypeNames.Application.Json; await context.Response.WriteAsync( JsonConvert.SerializeObject(AntiforgeryValidationError.Default)); return; } AntiforgeryLogMessages.RequestValidationSucceeded(logger); var tokenSet = antiforgery.GetAndStoreTokens(context); var requestTokenCookieKey = configuration.Value.RequestTokenCookieName ?? AntiforgeryDefaults.RequestTokenCookieName; context.Response.Cookies.Append( key: requestTokenCookieKey, value: tokenSet.RequestToken, options: new CookieOptions() { SameSite = SameSiteMode.Strict, Secure = true }); AntiforgeryLogMessages.RequestTokenCookieAttached(logger, requestTokenCookieKey, tokenSet.RequestToken); await _next.Invoke(context); }
public async Task InvokeAsync(HttpContext context, RequestDelegate next) { if (context.Request.Headers["X-REQUEST-CSRF-TOKEN"].FirstOrDefault()?.Equals("true") == true && await antiforgery.IsRequestValidAsync(context)) { var token = antiforgery.GetAndStoreTokens(context); context.Response.Headers.Add("X-RESPONSE-CSRF-TOKEN-NAME", token.HeaderName); context.Response.Headers.Add("X-RESPONSE-CSRF-TOKEN-VALUE", token.RequestToken); } await next(context); }
public async Task <IActionResult> Invoke(string token) { if (!_securityTokenService.TryDecryptToken <WorkflowPayload>(token, out var payload)) { _logger.LogWarning("Invalid SAS token provided"); return(NotFound()); } // Get the workflow type. var workflowType = await _workflowTypeStore.GetAsync(payload.WorkflowId); if (workflowType == null) { if (_logger.IsEnabled(LogLevel.Warning)) { _logger.LogWarning("The provided workflow with ID '{WorkflowTypeId}' could not be found.", payload.WorkflowId); } return(NotFound()); } if (!workflowType.IsEnabled) { if (_logger.IsEnabled(LogLevel.Warning)) { _logger.LogWarning("The provided workflow with ID '{WorkflowTypeId}' is not enabled.", payload.WorkflowId); } return(NotFound()); } // Get the activity record using the activity ID provided by the token. var startActivity = workflowType.Activities.FirstOrDefault(x => x.ActivityId == payload.ActivityId); if (startActivity == null) { if (_logger.IsEnabled(LogLevel.Warning)) { _logger.LogWarning("The provided activity with ID '{ActivityId}' could not be found.", payload.ActivityId); } return(NotFound()); } // Instantiate and bind an actual HttpRequestEvent object to check its settings. var httpRequestActivity = _activityLibrary.InstantiateActivity <HttpRequestEvent>(startActivity); if (httpRequestActivity == null) { if (_logger.IsEnabled(LogLevel.Warning)) { _logger.LogWarning("Activity with name '{ActivityName}' could not be found.", startActivity.Name); } return(NotFound()); } // Check if the HttpRequestEvent is configured to perform antiforgery token validation. If so, perform the validation. if (httpRequestActivity.ValidateAntiforgeryToken && (!await _antiforgery.IsRequestValidAsync(HttpContext))) { _logger.LogWarning("Antiforgery token validation failed."); return(BadRequest()); } // If the activity is a start activity, start a new workflow. if (startActivity.IsStart) { // If a singleton, try to acquire a lock per workflow type. (var locker, var locked) = await _distributedLock.TryAcquireWorkflowTypeLockAsync(workflowType); if (locked) { await using var acquiredLock = locker; // Check if this is not a workflow singleton or there's not already an halted instance on any activity. if (!workflowType.IsSingleton || !await _workflowStore.HasHaltedInstanceAsync(workflowType.WorkflowTypeId)) { if (_logger.IsEnabled(LogLevel.Debug)) { _logger.LogDebug("Invoking new workflow of type '{WorkflowTypeId}' with start activity '{ActivityId}'", workflowType.WorkflowTypeId, startActivity.ActivityId); } await _workflowManager.StartWorkflowAsync(workflowType, startActivity); } } } else { // Otherwise, we need to resume all halted workflows on this activity. var workflows = await _workflowStore.ListAsync(workflowType.WorkflowTypeId, new[] { startActivity.ActivityId }); if (!workflows.Any()) { if (_logger.IsEnabled(LogLevel.Warning)) { _logger.LogWarning("No workflow found that is blocked on activity '{ActivityId}'", startActivity.ActivityId); } return(NotFound()); } foreach (var workflow in workflows) { var blockingActivity = workflow.BlockingActivities.FirstOrDefault(x => x.ActivityId == startActivity.ActivityId); if (blockingActivity != null) { if (_logger.IsEnabled(LogLevel.Debug)) { _logger.LogDebug("Resuming workflow with ID '{WorkflowId}' on activity '{ActivityId}'", workflow.WorkflowId, blockingActivity.ActivityId); } // If atomic, try to acquire a lock per workflow instance. (var locker, var locked) = await _distributedLock.TryAcquireWorkflowLockAsync(workflow); if (!locked) { continue; } await using var acquiredLock = locker; // If atomic, check if the workflow still exists. var haltedWorkflow = workflow.IsAtomic ? await _workflowStore.GetAsync(workflow.WorkflowId) : workflow; if (haltedWorkflow == null) { continue; } // And if it is still halted on this activity. blockingActivity = haltedWorkflow.BlockingActivities.FirstOrDefault(x => x.ActivityId == startActivity.ActivityId); if (blockingActivity != null) { await _workflowManager.ResumeWorkflowAsync(haltedWorkflow, blockingActivity); } } } } return(GetWorkflowActionResult()); }
public async Task <IActionResult> Invoke(string token) { if (!_securityTokenService.TryDecryptToken <WorkflowPayload>(token, out var payload)) { _logger.LogWarning("Invalid SAS token provided"); return(NotFound()); } // Get the workflow type. var workflowType = await _workflowTypeStore.GetAsync(payload.WorkflowId); if (workflowType == null) { _logger.LogWarning("The provided workflow type with ID '{WorkflowTypeId}' could not be found.", payload.WorkflowId); return(NotFound()); } // Get the activity record using the activity ID provided by the token. var startActivity = workflowType.Activities.FirstOrDefault(x => x.ActivityId == payload.ActivityId); if (startActivity == null) { _logger.LogWarning("The provided activity with ID '{ActivityId}' could not be found.", payload.ActivityId); return(NotFound()); } // Instantiate and bind an actual HttpRequestEvent object to check its settings. var httpRequestActivity = _activityLibrary.InstantiateActivity <HttpRequestEvent>(startActivity); if (httpRequestActivity == null) { _logger.LogWarning("Activity with name '{ActivityName}' could not be found.", startActivity.Name); return(NotFound()); } // Check if the HttpRequestEvent is configured to perform antiforgery token validation. If so, perform the validation. if (httpRequestActivity.ValidateAntiforgeryToken && (!await _antiforgery.IsRequestValidAsync(HttpContext))) { _logger.LogWarning("Antiforgery token validation failed."); return(BadRequest()); } // If the activity is a start activity, start a new workflow. if (startActivity.IsStart) { _logger.LogDebug("Invoking new workflow of type {WorkflowTypeId} with start activity {ActivityId}", workflowType.WorkflowTypeId, startActivity.ActivityId); await _workflowManager.StartWorkflowAsync(workflowType, startActivity); } else { // Otherwise, we need to resume a halted workflow. var workflow = (await _workflowStore.ListAsync(workflowType.WorkflowTypeId, new[] { startActivity.ActivityId })).FirstOrDefault(); if (workflow == null) { _logger.LogWarning("No workflow found that is blocked on activity {ActivityId}", startActivity.ActivityId); return(NotFound()); } var blockingActivity = workflow.BlockingActivities.FirstOrDefault(x => x.ActivityId == startActivity.ActivityId); if (blockingActivity != null) { _logger.LogDebug("Resuming workflow with ID {WorkflowId} on activity {ActivityId}", workflow.WorkflowId, blockingActivity.ActivityId); await _workflowManager.ResumeWorkflowAsync(workflow, blockingActivity); } } return(GetWorkflowActionResult()); }
TryValidateAsync(HttpContext httpContext) { IAntiforgery antiforgery = GetAntiforgeryService(httpContext); return(await antiforgery.IsRequestValidAsync(httpContext)); }