Blazor forms and antiforgery 8.0 (#30035)

dotnet · Aug 16, 2023 · 52cd908 · 52cd908
1 parent e62eb1f
commit 52cd908
Show file tree

Hide file tree

Showing 8 changed files with 2,465 additions and 905 deletions.
diff --git a/aspnetcore/blazor/call-web-api.md b/aspnetcore/blazor/call-web-api.md
@@ -840,6 +840,31 @@ For more information, see <xref:security/cors>.
 
 :::zone-end
 
+:::moniker range=">= aspnetcore-8.0"
+
+## Antiforgery support
+
+To add antiforgery support to an HTTP request, inject the `AntiforgeryStateProvider` and add a `RequestToken` to the headers collection as a `RequestVerificationToken`:
+
+```razor
+@inject AntiforgeryStateProvider Antiforgery
+```
+
+```csharp
+private async Task OnSubmit()
+{
+    var antiforgery = Antiforgery.GetAntiforgeryToken();
+    var request = new HttpRequestMessage(HttpMethod.Post, "action");
+    request.Headers.Add("RequestVerificationToken", antiforgery.RequestToken);
+    var response = await client.SendAsync(request);
+    ...
+}
+```
+
+For more information, see <xref:blazor/security/index#antiforgery-support>.
+
+:::moniker-end
+
 ## Blazor framework component examples for testing web API access
 
 Various network tools are publicly available for testing web API backend apps directly, such as [Firefox Browser Developer](https://www.mozilla.org/firefox/developer/) and [Postman](https://www.postman.com). Blazor framework's reference source includes <xref:System.Net.Http.HttpClient> test assets that are useful for testing:

diff --git a/aspnetcore/blazor/components/built-in-components.md b/aspnetcore/blazor/components/built-in-components.md
@@ -19,6 +19,7 @@ The following built-in Razor components are provided by the Blazor framework:
 <!-- UPDATE 8.0 Confirm/update list -->
 
 * [`App`](xref:blazor/project-structure)
+* [`AntiforgeryToken`](xref:blazor/forms-and-input-components#antiforgery-support)
 * [`Authentication`](xref:blazor/security/webassembly/index#authentication-component)
 * [`AuthorizeView`](xref:blazor/security/index#authorizeview-component)
 * [`CascadingValue`](xref:blazor/components/cascading-values-and-parameters#cascadingvalue-component)

diff --git a/aspnetcore/blazor/forms-and-input-components.md b/aspnetcore/blazor/forms-and-input-components.md
diff --git a/aspnetcore/blazor/security/index.md b/aspnetcore/blazor/security/index.md
@@ -30,6 +30,20 @@ ASP.NET Core abstractions, such as <xref:Microsoft.AspNetCore.Identity.SignInMan
 > [!NOTE]
 > The code examples in this article adopt [nullable reference types (NRTs) and .NET compiler null-state static analysis](xref:migration/50-to-60#nullable-reference-types-nrts-and-net-compiler-null-state-static-analysis), which are supported in ASP.NET Core 6.0 or later. When targeting ASP.NET Core 5.0 or earlier, remove the null type designation (`?`) from examples in this article.
 
+:::moniker range=">= aspnetcore-8.0"
+
+## Antiforgery support
+
+Blazor adds Antiforgery Middleware and requires endpoint [antiforgery protection](xref:security/anti-request-forgery) by default. 
+
+The `AntiforgeryToken` component renders an antiforgery token as a hidden field, and this component is automatically added to form (`EditForm`) instances. For more information, see <xref:blazor/forms-and-input-components#antiforgery-support>.
+
+The `AntiforgeryStateProvider` service provides access to an antiforgery token associated with the current session. Inject the service and call its `GetAntiforgeryToken` method to obtain the current `AntiforgeryRequestToken`. For more information, see <xref:blazor/call-web-api#antiforgery-support>.
+
+Blazor stores request tokens in component state, which guarantees that antiforgery tokens are available to interactive components, even when they don't have access to the request.
+
+:::moniker-end
+
 ## Authentication
 
 Blazor uses the existing ASP.NET Core authentication mechanisms to establish the user's identity. The exact mechanism depends on how the Blazor app is hosted, Blazor Server or Blazor WebAssembly.

diff --git a/aspnetcore/blazor/security/server/additional-scenarios.md b/aspnetcore/blazor/security/server/additional-scenarios.md
@@ -16,6 +16,11 @@ This article explains how to configure Blazor Server for additional security sce
 
 ## Pass tokens to a Blazor Server app
 
+<!-- UPDATE 8.0 I don't think it will be necessary to showcase
+     passing antiforgery tokens for BWAs, so we'll probably
+     version that piece out. However, other types of tokens might
+     still require an approach similar to what this guidance shows. -->
+
 Tokens available outside of the Razor components in a Blazor Server app can be passed to components with the approach described in this section. The example in this section focuses on passing access, refresh, and [anti-request forgery (XSRF) token](xref:security/anti-request-forgery) tokens to the Blazor app, but the approach is valid for other HTTP context state.
 
 > [!NOTE]

diff --git a/aspnetcore/blazor/security/server/index.md b/aspnetcore/blazor/security/server/index.md
@@ -505,7 +505,7 @@ In the following `InjectAuthStateProvider` component:
 
 For more information, see the guidance on <xref:Microsoft.AspNetCore.Components.OwningComponentBase> in <xref:blazor/fundamentals/dependency-injection#owningcomponentbase>.
 
-<!-- HOLD: This content will be discussed with the PU after .NET 8 releases. This is tracked by https://github.com/dotnet/AspNetCore.Docs/issues/28001.
+<!-- UPDATE 8.0 This content will be discussed with the PU after .NET 8 releases. This is tracked by https://github.com/dotnet/AspNetCore.Docs/issues/28001.
 
 ## Unauthorized content display while prerendering with a custom `AuthenticationStateProvider`