Exemplo n.º 1
0
        /// <inheritdoc />
        public async Task <bool> IsRequestValidAsync(HttpContext httpContext)
        {
            if (httpContext == null)
            {
                throw new ArgumentNullException(nameof(httpContext));
            }

            CheckSSLConfig(httpContext);

            var method = httpContext.Request.Method;

            if (string.Equals(method, "GET", StringComparison.OrdinalIgnoreCase) ||
                string.Equals(method, "HEAD", StringComparison.OrdinalIgnoreCase) ||
                string.Equals(method, "OPTIONS", StringComparison.OrdinalIgnoreCase) ||
                string.Equals(method, "TRACE", StringComparison.OrdinalIgnoreCase))
            {
                // Validation not needed for these request types.
                return(true);
            }

            var tokens = await _tokenStore.GetRequestTokensAsync(httpContext);

            if (tokens.CookieToken == null)
            {
                _logger.MissingCookieToken(_options.Cookie.Name);
                return(false);
            }

            if (tokens.RequestToken == null)
            {
                _logger.MissingRequestToken(_options.FormFieldName, _options.HeaderName);
                return(false);
            }

            // Extract cookie & request tokens
            AntiforgeryToken deserializedCookieToken;
            AntiforgeryToken deserializedRequestToken;

            DeserializeTokens(httpContext, tokens, out deserializedCookieToken, out deserializedRequestToken);

            // Validate
            string message;
            var    result = _tokenGenerator.TryValidateTokenSet(
                httpContext,
                deserializedCookieToken,
                deserializedRequestToken,
                out message);

            if (result)
            {
                _logger.ValidatedAntiforgeryToken();
            }
            else
            {
                _logger.ValidationFailed(message);
            }

            return(result);
        }
Exemplo n.º 2
0
    /// <inheritdoc />
    public async Task <bool> IsRequestValidAsync(HttpContext httpContext)
    {
        if (httpContext == null)
        {
            throw new ArgumentNullException(nameof(httpContext));
        }

        CheckSSLConfig(httpContext);

        var method = httpContext.Request.Method;

        if (HttpMethods.IsGet(method) ||
            HttpMethods.IsHead(method) ||
            HttpMethods.IsOptions(method) ||
            HttpMethods.IsTrace(method))
        {
            // Validation not needed for these request types.
            return(true);
        }

        var tokens = await _tokenStore.GetRequestTokensAsync(httpContext);

        if (tokens.CookieToken == null)
        {
            _logger.MissingCookieToken(_options.Cookie.Name);
            return(false);
        }

        if (tokens.RequestToken == null)
        {
            _logger.MissingRequestToken(_options.FormFieldName, _options.HeaderName);
            return(false);
        }

        // Extract cookie & request tokens
        if (!TryDeserializeTokens(httpContext, tokens, out var deserializedCookieToken, out var deserializedRequestToken))
        {
            return(false);
        }

        // Validate
        var result = _tokenGenerator.TryValidateTokenSet(
            httpContext,
            deserializedCookieToken,
            deserializedRequestToken,
            out var message);

        if (result)
        {
            _logger.ValidatedAntiforgeryToken();
        }
        else
        {
            _logger.ValidationFailed(message !);
        }

        return(result);
    }
        public async Task <AntiforgeryTokenSet> GetRequestTokensAsync(HttpContext httpContext)
        {
            //
            // Get cookie token
            string requestCookie = httpContext.Request.Cookies[_options.CookieName];
            string requestToken  = null;

            //
            // Get header token
            if (!string.IsNullOrEmpty(requestCookie))
            {
                requestToken = httpContext.Request.Headers[_options.FormFieldName];
            }

            //
            if (!string.IsNullOrEmpty(requestToken))
            {
                return(new AntiforgeryTokenSet(requestToken, requestCookie, _options.CookieName, _options.FormFieldName));
            }

            //
            // Fall back to the default implementation
            try {
                var res = await _defaultStore.GetRequestTokensAsync(httpContext);

                return(res);
            }
            catch (Exception e) {
                throw new AntiforgeryException(e);
            }
        }