private void DeserializeTokens(
HttpContext httpContext,
AntiforgeryTokenSet antiforgeryTokenSet,
out AntiforgeryToken cookieToken,
out AntiforgeryToken requestToken)
{
var antiforgeryFeature = GetAntiforgeryFeature(httpContext);
if (antiforgeryFeature.HaveDeserializedCookieToken)
{
cookieToken = antiforgeryFeature.CookieToken !;
}
else
{
cookieToken = _tokenSerializer.Deserialize(antiforgeryTokenSet.CookieToken !);
antiforgeryFeature.CookieToken = cookieToken;
antiforgeryFeature.HaveDeserializedCookieToken = true;
}
if (antiforgeryFeature.HaveDeserializedRequestToken)
{
requestToken = antiforgeryFeature.RequestToken !;
}
else
{
requestToken = _tokenSerializer.Deserialize(antiforgeryTokenSet.RequestToken !);
antiforgeryFeature.RequestToken = requestToken;
antiforgeryFeature.HaveDeserializedRequestToken = true;
}
}
private void ValidateTokens(HttpContext httpContext, AntiforgeryTokenSet antiforgeryTokenSet)
{
Debug.Assert(!string.IsNullOrEmpty(antiforgeryTokenSet.CookieToken));
Debug.Assert(!string.IsNullOrEmpty(antiforgeryTokenSet.RequestToken));
// Extract cookie & request tokens
AntiforgeryToken deserializedCookieToken;
AntiforgeryToken deserializedRequestToken;
DeserializeTokens(
httpContext,
antiforgeryTokenSet,
out deserializedCookieToken,
out deserializedRequestToken);
// Validate
if (!_tokenGenerator.TryValidateTokenSet(
httpContext,
deserializedCookieToken,
deserializedRequestToken,
out var message))
{
throw new AntiforgeryValidationException(message);
}
}
public static string GetAntiforgeryToken(this HttpContext context)
{
IAntiforgery antiforgery = (IAntiforgery)context.RequestServices.GetService(typeof(IAntiforgery));
AntiforgeryTokenSet tokenSet = antiforgery.GetAndStoreTokens(context);
return(tokenSet.RequestToken);
}
public async Task ValidateRequestAsync_FormRequest_NoRequestTokenValue_Throws()
{
// Arrange
var context = CreateMockContext(new AntiforgeryOptions()
{
CookieName = "cookie-name",
FormFieldName = "form-field-name",
HeaderName = "header-name",
});
context.HttpContext.Request.ContentType = "application/x-www-form-urlencoded";
var tokenSet = new AntiforgeryTokenSet(null, "cookie-token", "form-field-name", "header-name");
context.TokenStore
.Setup(s => s.GetRequestTokensAsync(context.HttpContext))
.Returns(Task.FromResult(tokenSet));
var antiforgery = GetAntiforgery(context);
// Act & Assert
var exception = await Assert.ThrowsAsync <AntiforgeryValidationException>(
() => antiforgery.ValidateRequestAsync(context.HttpContext));
Assert.Equal(
"The required antiforgery request token was not provided in either form field \"form-field-name\" " +
"or header value \"header-name\".",
exception.Message);
}
public override void OnActionExecuted(ActionExecutedContext context)
{
var antiforgery = context.HttpContext.RequestServices.GetService <IAntiforgery>();
AntiforgeryTokenSet tokens = antiforgery.GetAndStoreTokens(context.HttpContext);
context.HttpContext.Response.Cookies.Append("XSRF-TOKEN", tokens.RequestToken, new CookieOptions
{
HttpOnly = false
});
}
public IActionResult GetXSRFToken()
{
AntiforgeryTokenSet tokens = iAntiForgery.GetAndStoreTokens(HttpContext);
return(new ObjectResult(new
{
token = tokens.RequestToken,
tokenHeader = tokens.HeaderName
}));
}
public override void OnActionExecuted(ActionExecutedContext context)
{
IAntiforgery antiforgery = context.HttpContext.RequestServices.GetService <IAntiforgery>();
// We can send the request token as a JavaScript-readable cookie, and jquery will use it by default.
AntiforgeryTokenSet tokens = antiforgery.GetAndStoreTokens(context.HttpContext);
context.HttpContext.Response.Cookies.Append("XSRF-TOKEN", tokens.RequestToken, new CookieOptions {
HttpOnly = false
});
}
GetHtml(HttpContext httpContext, XcstWriter output)
{
IAntiforgery antiforgery = GetAntiforgeryService(httpContext);
AntiforgeryTokenSet tokenSet = antiforgery.GetAndStoreTokens(httpContext);
output.WriteStartElement("input");
output.WriteAttributeString("type", "hidden");
output.WriteAttributeString("name", tokenSet.FormFieldName);
output.WriteAttributeString("value", tokenSet.RequestToken);
output.WriteEndElement();
}
public override void OnActionExecuted([NotNull] ActionExecutedContext context)
{
IAntiforgery antiForgery = context.HttpContext.RequestServices.GetService<IAntiforgery>();
// We can send the request token as a JavaScript-readable cookie,
// and Angular will use it by default.
AntiforgeryTokenSet tokens = antiForgery?.GetAndStoreTokens(context.HttpContext);
if (tokens?.RequestToken == null) return;
context.HttpContext.Response.Cookies.Append(essentialMix.Web.CookieNames.AntiForgeryToken, tokens.RequestToken, new CookieOptions
{
HttpOnly = false
});
}
private AntiforgeryTokenSet SetAntiForgeryTokens()
{
IAntiforgery antiforgery = (IAntiforgery)Context.RequestServices.GetService(typeof(IAntiforgery));
IOptions <AntiforgeryOptions> options = (IOptions <AntiforgeryOptions>)Context.RequestServices.GetService(typeof(IOptions <AntiforgeryOptions>));
// Save cookie
AntiforgeryTokenSet tokens = antiforgery.GetAndStoreTokens(Context);
// Set response header
Context.Response.Headers[options.Value.FormFieldName] = tokens.RequestToken;
return(tokens);
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IHostingEnvironment env, IAntiforgery antiforgery)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Error");
app.UseHsts();
}
/// Add the anti-forgery cookie to the context response
app.Use(next => context =>
{
switch (context.Request.Path.Value)
{
case "/":
AntiforgeryTokenSet tokens = antiforgery.GetAndStoreTokens(context);
context.Response.Cookies.Append(
"AntiForgery-TOKEN",
tokens.RequestToken,
new CookieOptions()
{
HttpOnly = false
});
break;
}
return(next(context));
});
/// App setup to use the following middle-wares
app.UseAuthentication();
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseSpaStaticFiles();
/// User MVC Routes for the api calls
app.UseMvc();
app.UseSpa(spa =>
{
spa.Options.SourcePath = "ClientApp";
if (env.IsDevelopment())
{
spa.UseReactDevelopmentServer(npmScript: "start");
}
});
}
public static void AddAntiforgeryCookies(this IAntiforgery antiforgery, HttpContext context)
{
AntiforgeryTokenSet tokenSet = antiforgery.GetAndStoreTokens(context);
context.
Response.
Cookies.
Append(
"XSRF-TOKEN",
tokenSet.RequestToken,
new CookieOptions()
{
// Allows client side scripts to access cookie
HttpOnly = false
});
}
public void GetHtml_RendersInputField()
{
// Arrange
var antiforgery = new Mock<IAntiforgery>(MockBehavior.Strict);
var tokenSet = new AntiforgeryTokenSet("request-token", "cookie-token", "form-field", "header");
antiforgery
.Setup(a => a.GetAndStoreTokens(It.IsAny<HttpContext>()))
.Returns(tokenSet);
// Act
var inputElement = AntiforgeryExtensions.GetHtml(antiforgery.Object, new DefaultHttpContext());
// Assert
Assert.Equal(
@"<input name=""HtmlEncode[[form-field]]"" type=""hidden"" value=""HtmlEncode[[request-token]]"" />",
HtmlContentUtilities.HtmlContentToString(inputElement));
}
public void GetHtml_RendersInputField()
{
// Arrange
var antiforgery = new Mock <IAntiforgery>(MockBehavior.Strict);
var tokenSet = new AntiforgeryTokenSet("request-token", "cookie-token", "form-field", "header");
antiforgery
.Setup(a => a.GetAndStoreTokens(It.IsAny <HttpContext>()))
.Returns(tokenSet);
// Act
var inputElement = AntiforgeryExtensions.GetHtml(antiforgery.Object, new DefaultHttpContext());
// Assert
Assert.Equal(
@"<input name=""HtmlEncode[[form-field]]"" type=""hidden"" value=""HtmlEncode[[request-token]]"" />",
HtmlContentUtilities.HtmlContentToString(inputElement));
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IWebHostEnvironment env, IAntiforgery antiforgery)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
app.UseCors("EnableCORS");
app.UseHttpsRedirection();
app.UseRouting();
app.UseAuthorization();
/* Configure the app to provide a token in a cookie called XSRF-TOKEN */
/* Custom Middleware Component is required to Set the cookie which is named XSRF-TOKEN
* The Value for this cookie is obtained from IAntiForgery service
* We must configure this cookie with HttpOnly option set to false so that browser will allow JS to read this cookie
*/
app.Use(nextDelegate => context =>
{
string path = context.Request.Path.Value.ToLower();
string[] directUrls = { "/admin", "/store", "/cart", "checkout", "/login" };
if (path.StartsWith("/swagger") || path.StartsWith("/api") || string.Equals("/", path) || directUrls.Any(url => path.StartsWith(url)))
{
AntiforgeryTokenSet tokens = antiforgery.GetAndStoreTokens(context);
context.Response.Cookies.Append("XSRF-TOKEN", tokens.RequestToken, new CookieOptions()
{
HttpOnly = false,
Secure = false,
IsEssential = true,
SameSite = SameSiteMode.Strict
});
}
return(nextDelegate(context));
});
app.UseEndpoints(endpoints =>
{
endpoints.MapControllers();
});
}
private void SetAntiforgeryCookie()
{
CookieOptions antiForgeryCookieOptions = new CookieOptions()
{
HttpOnly = false,
SameSite = SameSiteMode.Lax,
Secure = true,
};
if (_WebHostingEnv.IsProduction())
{
antiForgeryCookieOptions.Domain = AppConst.Settings.AppDomains.AntiforgeryCookieDomain;
}
AntiforgeryTokenSet tokens = _Antiforgery.GetAndStoreTokens(HttpContext);
Response.Cookies.Append(
"AF-TOKEN",
tokens.RequestToken,
antiForgeryCookieOptions);
}
private bool TryDeserializeTokens(
HttpContext httpContext,
AntiforgeryTokenSet antiforgeryTokenSet,
[NotNullWhen(true)] out AntiforgeryToken?cookieToken,
[NotNullWhen(true)] out AntiforgeryToken?requestToken)
{
try
{
DeserializeTokens(httpContext, antiforgeryTokenSet, out cookieToken, out requestToken);
return(true);
}
catch (AntiforgeryValidationException ex)
{
_logger.FailedToDeserialzeTokens(ex);
cookieToken = null;
requestToken = null;
return(false);
}
}
public async override void OnActionExecuting(ActionExecutingContext context)
{
IAntiforgery antiforgery = (IAntiforgery)context.HttpContext.RequestServices.GetService(typeof(IAntiforgery));
AntiforgeryTokenSet tokens = antiforgery.GetAndStoreTokens(context.HttpContext);
if (!context.HttpContext.Request.Form.ContainsKey(tokens.FormFieldName))
{
return;
}
var currentFormId = context.HttpContext.Request.Form[tokens.FormFieldName].ToString();
var lastToken = "" + context.HttpContext.Session.GetString(UniqFormuId);
if (lastToken.Equals(currentFormId))
{
context.ModelState.AddModelError(string.Empty, $"{DateTime.Now.ToShortTimeString()}--重复提交");
return;
}
context.HttpContext.Session.Remove(UniqFormuId);
context.HttpContext.Session.SetString(UniqFormuId, currentFormId);
await context.HttpContext.Session.CommitAsync();
}
public override async void OnActionExecuting(ActionExecutingContext context)
{
IAntiforgery antiforgery = (IAntiforgery)context.HttpContext.RequestServices.GetService(typeof(IAntiforgery));
AntiforgeryTokenSet tokens = antiforgery.GetAndStoreTokens(context.HttpContext);
if (!context.HttpContext.Request.Form.ContainsKey(tokens.FormFieldName))
{
return;
}
var currentFormId = context.HttpContext.Request.Form[tokens.FormFieldName].ToString();
var lastToken = "" + context.HttpContext.Session.GetString(UniqFormuId);
if (lastToken.Equals(currentFormId))
{
context.ModelState.AddModelError(string.Empty, "Looks like you accidentally submitted the same form twice.");
return;
}
context.HttpContext.Session.Remove(UniqFormuId);
context.HttpContext.Session.SetString(UniqFormuId, currentFormId);
await context.HttpContext.Session.CommitAsync();
}
/// <inheritdoc />
public void GetAndStoreTokens(HttpContext httpContext)
{
AntiforgeryTokenSet set = _internalAntiForgery.GetAndStoreTokens(httpContext);
if (set.RequestToken == null)
{
throw new InvalidOperationException("Could not resolve a request token.");
}
// We need to set 2 cookies:
// The cookie value that angular will use to set a header value on each request - we need to manually set this here
// The validation cookie value generated by the anti-forgery helper that we validate the header token against - set above in GetAndStoreTokens
httpContext.Response.Cookies.Append(
Constants.Web.AngularCookieName,
set.RequestToken,
new CookieOptions
{
Path = "/",
//must be js readable
HttpOnly = false,
Secure = _globalSettings.UseHttps
});
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IWebHostEnvironment env, IAntiforgery antiforgery)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
app.UseCors("EnableCORS");
app.UseHttpsRedirection();
app.UseRouting();
app.UseAuthorization();
app.Use(nextDelegate => context =>
{
string path = context.Request.Path.Value.ToLower();
string[] directUrls = { "/admin", "/store", "/cart", "checkout", "/login" };
if (path.StartsWith("/swagger") || path.StartsWith("/api") || string.Equals("/", path) || directUrls.Any(url => path.StartsWith(url)))
{
AntiforgeryTokenSet tokens = antiforgery.GetAndStoreTokens(context);
context.Response.Cookies.Append("XSRF-TOKEN", tokens.RequestToken, new CookieOptions()
{
HttpOnly = false,
Secure = false,
IsEssential = true,
SameSite = SameSiteMode.Strict
});
}
return(nextDelegate(context));
});
app.UseEndpoints(endpoints =>
{
endpoints.MapControllers();
});
}
public async Task ValidateRequestAsync_NonFormRequest_HeaderDisabled_Throws()
{
// Arrange
var context = CreateMockContext(new AntiforgeryOptions()
{
CookieName = "cookie-name",
FormFieldName = "form-field-name",
HeaderName = null,
});
var tokenSet = new AntiforgeryTokenSet(null, "cookie-token", "form-field-name", null);
context.TokenStore
.Setup(s => s.GetRequestTokensAsync(context.HttpContext))
.Returns(Task.FromResult(tokenSet));
var antiforgery = GetAntiforgery(context);
// Act & Assert
var exception = await Assert.ThrowsAsync <AntiforgeryValidationException>(
() => antiforgery.ValidateRequestAsync(context.HttpContext));
Assert.Equal("The required antiforgery form field \"form-field-name\" is not present.", exception.Message);
}
public async Task Invoke(HttpContext httpContext, IAntiforgery antiforgery)
{
string path = httpContext.Request.Path.Value;
if (httpContext.Request.Method == HttpMethods.Get &&
(
string.Equals(path, "/", StringComparison.OrdinalIgnoreCase) ||
string.Equals(path, "/index.html", StringComparison.OrdinalIgnoreCase) ||
string.Equals(path, "/login", StringComparison.OrdinalIgnoreCase) ||
string.Equals(path, "/index-login.html", StringComparison.OrdinalIgnoreCase)
))
{
// The request token can be sent as a JavaScript-readable cookie,
// and Angular uses it by default.
AntiforgeryTokenSet tokens = antiforgery.GetAndStoreTokens(httpContext);
httpContext.Response.Cookies.Append(_clientCookieName,
tokens.RequestToken,
new CookieOptions {
HttpOnly = false
});
}
await _next(httpContext);
}
public InputContent(AntiforgeryTokenSet tokenSet)
{
_fieldName = tokenSet.FormFieldName;
_requestToken = tokenSet.RequestToken !;
}
private void DeserializeTokens(
HttpContext httpContext,
AntiforgeryTokenSet antiforgeryTokenSet,
out AntiforgeryToken cookieToken,
out AntiforgeryToken requestToken)
{
var antiforgeryFeature = GetAntiforgeryFeature(httpContext);
if (antiforgeryFeature.HaveDeserializedCookieToken)
{
cookieToken = antiforgeryFeature.CookieToken;
}
else
{
cookieToken = _tokenSerializer.Deserialize(antiforgeryTokenSet.CookieToken);
antiforgeryFeature.CookieToken = cookieToken;
antiforgeryFeature.HaveDeserializedCookieToken = true;
}
if (antiforgeryFeature.HaveDeserializedRequestToken)
{
requestToken = antiforgeryFeature.RequestToken;
}
else
{
requestToken = _tokenSerializer.Deserialize(antiforgeryTokenSet.RequestToken);
antiforgeryFeature.RequestToken = requestToken;
antiforgeryFeature.HaveDeserializedRequestToken = true;
}
}
private void ValidateTokens(HttpContext httpContext, AntiforgeryTokenSet antiforgeryTokenSet)
{
Debug.Assert(!string.IsNullOrEmpty(antiforgeryTokenSet.CookieToken));
Debug.Assert(!string.IsNullOrEmpty(antiforgeryTokenSet.RequestToken));
// Extract cookie & request tokens
AntiforgeryToken deserializedCookieToken;
AntiforgeryToken deserializedRequestToken;
DeserializeTokens(
httpContext,
antiforgeryTokenSet,
out deserializedCookieToken,
out deserializedRequestToken);
// Validate
string message;
if (!_tokenGenerator.TryValidateTokenSet(
httpContext,
deserializedCookieToken,
deserializedRequestToken,
out message))
{
throw new AntiforgeryValidationException(message);
}
}
public AntiforgeryTokenSet GetAndStoreTokens(HttpContext httpContext)
{
var result = new AntiforgeryTokenSet("requestToken", "cookieToken", "test", "test");
return(result);
}
private BankIdLoginViewModel GetLoginViewModel(string returnUrl, string loginOptions, BankIdLoginOptions unprotectedLoginOptions, AntiforgeryTokenSet antiforgeryTokens)
{
var loginScriptOptions = new BankIdLoginScriptOptions
{
RefreshIntervalMs = BankIdAuthenticationDefaults.StatusRefreshIntervalMs,
InitialStatusMessage = _bankIdUserMessageLocalizer.GetLocalizedString(MessageShortName.RFA13),
UnknownErrorMessage = _bankIdUserMessageLocalizer.GetLocalizedString(MessageShortName.RFA22),
UnsupportedBrowserErrorMessage = _localizer["UnsupportedBrowser_ErrorMessage"],
BankIdInitializeApiUrl = Url.Action(nameof(BankIdApiController.InitializeAsync), "BankIdApi"),
BankIdStatusApiUrl = Url.Action(nameof(BankIdApiController.StatusAsync), "BankIdApi")
};
return(new BankIdLoginViewModel
{
ReturnUrl = returnUrl,
AutoLogin = unprotectedLoginOptions.IsAutoLogin(),
PersonalIdentityNumber = unprotectedLoginOptions.PersonalIdentityNumber?.To12DigitString() ?? string.Empty,
LoginOptions = loginOptions,
UnprotectedLoginOptions = unprotectedLoginOptions,
AntiXsrfRequestToken = antiforgeryTokens.RequestToken,
LoginScriptOptions = loginScriptOptions,
LoginScriptOptionsJson = SystemRuntimeJsonSerializer.Serialize(loginScriptOptions)
});
}
static public string XsrfToXpt(AntiforgeryTokenSet xpt) => Serialize(new
{
__xpt_cookie = xpt.CookieToken,
__xpt_request = xpt.RequestToken,
__xpt_header_name = xpt.HeaderName
});
private BankIdLoginViewModel GetLoginViewModel(string returnUrl, string loginOptions, BankIdLoginOptions unprotectedLoginOptions, AntiforgeryTokenSet antiforgeryTokens)
{
var initialStatusMessage = GetInitialStatusMessage(unprotectedLoginOptions);
var loginScriptOptions = new BankIdLoginScriptOptions(
Url.Action("Initialize", "BankIdApi"),
Url.Action("Status", "BankIdApi"),
Url.Action("Cancel", "BankIdApi")
)
{
RefreshIntervalMs = BankIdDefaults.StatusRefreshIntervalMs,
InitialStatusMessage = _bankIdUserMessageLocalizer.GetLocalizedString(initialStatusMessage),
UnknownErrorMessage = _bankIdUserMessageLocalizer.GetLocalizedString(MessageShortName.RFA22),
UnsupportedBrowserErrorMessage = _localizer["UnsupportedBrowser_ErrorMessage"]
};
return(new BankIdLoginViewModel(
returnUrl,
Url.Content(unprotectedLoginOptions.CancelReturnUrl),
unprotectedLoginOptions.IsAutoLogin(),
unprotectedLoginOptions.PersonalIdentityNumber?.To12DigitString() ?? string.Empty,
loginOptions,
unprotectedLoginOptions,
loginScriptOptions,
SystemRuntimeJsonSerializer.Serialize(loginScriptOptions),
antiforgeryTokens.RequestToken
));
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(
IApplicationBuilder app,
IWebHostEnvironment env,
IAntiforgery antiforgery)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
else
{
app.UseExceptionHandler("/Error");
// The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
app.UseHsts();
}
app.UseHttpsRedirection();
app.UseCors("EnableCORS");
app.UseStaticFiles();
if (!env.IsDevelopment())
{
app.UseSpaStaticFiles();
}
app.UseRouting();
// [Authorize]
app.UseAuthorization();
// [ValidateAntiForgeryToken]
// [AutoValidateAntiforgeryToken]
app.Use(nextDelegate => context =>
{
string path = context.Request.Path.Value.ToLower();
string[] directUrls =
{
"/admin",
"/store",
"/cart",
"checkout",
"/login"
};
if (path.StartsWith("/swagger") ||
path.StartsWith("/api") ||
string.Equals("/", path) ||
directUrls.Any(url => path.StartsWith(url)))
{
AntiforgeryTokenSet tokens = antiforgery.GetAndStoreTokens(context);
context.Response.Cookies.Append(
"XSRF-TOKEN",
tokens.RequestToken,
new CookieOptions()
{
HttpOnly = false,
Secure = false,
IsEssential = true,
SameSite = SameSiteMode.Strict
}
);
}
return(nextDelegate(context));
});
app.UseEndpoints(endpoints =>
{
// * Microsoft.AspNetCore.Mvc.Razor.RuntimeCompilation 3.1.5
endpoints.MapControllerRoute(
name: "areas",
pattern: "{area:exists}/{controller=Home}/{action=Index}/{id?}");
endpoints.MapControllerRoute(
name: "default",
pattern: "{controller}/{action=Index}/{id?}");
});
app.UseSpa(spa =>
{
// To learn more about options for serving an Angular SPA from ASP.NET Core,
// see https://go.microsoft.com/fwlink/?linkid=864501
spa.Options.SourcePath = "ClientApp";
if (env.IsDevelopment())
{
spa.UseAngularCliServer(npmScript: "start");
}
});
}
