Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Blazor forms and antiforgery 8.0 #30035

Merged
merged 7 commits into from
Aug 16, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 25 additions & 0 deletions aspnetcore/blazor/call-web-api.md
Original file line number Diff line number Diff line change
Expand Up @@ -840,6 +840,31 @@ For more information, see <xref:security/cors>.

:::zone-end

:::moniker range=">= aspnetcore-8.0"

## Antiforgery support

To add antiforgery support to an HTTP request, inject the `AntiforgeryStateProvider` and add a `RequestToken` to the headers collection as a `RequestVerificationToken`:

```razor
@inject AntiforgeryStateProvider Antiforgery
```

```csharp
private async Task OnSubmit()
{
var antiforgery = Antiforgery.GetAntiforgeryToken();
var request = new HttpRequestMessage(HttpMethod.Post, "action");
request.Headers.Add("RequestVerificationToken", antiforgery.RequestToken);
var response = await client.SendAsync(request);
...
}
```

For more information, see <xref:blazor/security/index#antiforgery-support>.

:::moniker-end

## Blazor framework component examples for testing web API access

Various network tools are publicly available for testing web API backend apps directly, such as [Firefox Browser Developer](https://www.mozilla.org/firefox/developer/) and [Postman](https://www.postman.com). Blazor framework's reference source includes <xref:System.Net.Http.HttpClient> test assets that are useful for testing:
Expand Down
1 change: 1 addition & 0 deletions aspnetcore/blazor/components/built-in-components.md
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ The following built-in Razor components are provided by the Blazor framework:
<!-- UPDATE 8.0 Confirm/update list -->

* [`App`](xref:blazor/project-structure)
* [`AntiforgeryToken`](xref:blazor/forms-and-input-components#antiforgery-support)
* [`Authentication`](xref:blazor/security/webassembly/index#authentication-component)
* [`AuthorizeView`](xref:blazor/security/index#authorizeview-component)
* [`CascadingValue`](xref:blazor/components/cascading-values-and-parameters#cascadingvalue-component)
Expand Down
3,034 changes: 2,136 additions & 898 deletions aspnetcore/blazor/forms-and-input-components.md

Large diffs are not rendered by default.

14 changes: 14 additions & 0 deletions aspnetcore/blazor/security/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,20 @@ ASP.NET Core abstractions, such as <xref:Microsoft.AspNetCore.Identity.SignInMan
> [!NOTE]
> The code examples in this article adopt [nullable reference types (NRTs) and .NET compiler null-state static analysis](xref:migration/50-to-60#nullable-reference-types-nrts-and-net-compiler-null-state-static-analysis), which are supported in ASP.NET Core 6.0 or later. When targeting ASP.NET Core 5.0 or earlier, remove the null type designation (`?`) from examples in this article.

:::moniker range=">= aspnetcore-8.0"

## Antiforgery support

Blazor adds Antiforgery Middleware and requires endpoint [antiforgery protection](xref:security/anti-request-forgery) by default.

The `AntiforgeryToken` component renders an antiforgery token as a hidden field, and this component is automatically added to form (`EditForm`) instances. For more information, see <xref:blazor/forms-and-input-components#antiforgery-support>.

The `AntiforgeryStateProvider` service provides access to an antiforgery token associated with the current session. Inject the service and call its `GetAntiforgeryToken` method to obtain the current `AntiforgeryRequestToken`. For more information, see <xref:blazor/call-web-api#antiforgery-support>.

Blazor stores request tokens in component state, which guarantees that antiforgery tokens are available to interactive components, even when they don't have access to the request.

:::moniker-end

## Authentication

Blazor uses the existing ASP.NET Core authentication mechanisms to establish the user's identity. The exact mechanism depends on how the Blazor app is hosted, Blazor Server or Blazor WebAssembly.
Expand Down
5 changes: 5 additions & 0 deletions aspnetcore/blazor/security/server/additional-scenarios.md
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,11 @@ This article explains how to configure Blazor Server for additional security sce

## Pass tokens to a Blazor Server app

<!-- UPDATE 8.0 I don't think it will be necessary to showcase
passing antiforgery tokens for BWAs, so we'll probably
version that piece out. However, other types of tokens might
still require an approach similar to what this guidance shows. -->

Tokens available outside of the Razor components in a Blazor Server app can be passed to components with the approach described in this section. The example in this section focuses on passing access, refresh, and [anti-request forgery (XSRF) token](xref:security/anti-request-forgery) tokens to the Blazor app, but the approach is valid for other HTTP context state.

> [!NOTE]
Expand Down
2 changes: 1 addition & 1 deletion aspnetcore/blazor/security/server/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -505,7 +505,7 @@ In the following `InjectAuthStateProvider` component:

For more information, see the guidance on <xref:Microsoft.AspNetCore.Components.OwningComponentBase> in <xref:blazor/fundamentals/dependency-injection#owningcomponentbase>.

<!-- HOLD: This content will be discussed with the PU after .NET 8 releases. This is tracked by https://github.com/dotnet/AspNetCore.Docs/issues/28001.
<!-- UPDATE 8.0 This content will be discussed with the PU after .NET 8 releases. This is tracked by https://github.com/dotnet/AspNetCore.Docs/issues/28001.

## Unauthorized content display while prerendering with a custom `AuthenticationStateProvider`

Expand Down
Loading