dotnet
diff --git a/Diff for: ‎src/Antiforgery/src/AntiforgeryMiddleware.cs
+130 b/Diff for: ‎src/Antiforgery/src/AntiforgeryMiddleware.cs
+130
diff --git a/Diff for: ‎src/Antiforgery/src/AntiforgeryMiddlewareExtensions.cs
+22 b/Diff for: ‎src/Antiforgery/src/AntiforgeryMiddlewareExtensions.cs
+22
diff --git a/Diff for: ‎src/Antiforgery/src/Internal/DefaultAntiforgery.cs
+15-9 b/Diff for: ‎src/Antiforgery/src/Internal/DefaultAntiforgery.cs
+15-9
diff --git a/Diff for: ‎src/Antiforgery/src/PublicAPI.Unshipped.txt
+2 b/Diff for: ‎src/Antiforgery/src/PublicAPI.Unshipped.txt
+2
diff --git a/Diff for: ‎src/Http/Http.Abstractions/src/Metadata/IAntiforgeryMetadata.cs
+11 b/Diff for: ‎src/Http/Http.Abstractions/src/Metadata/IAntiforgeryMetadata.cs
+11
diff --git a/Diff for: ‎src/Http/Http.Abstractions/src/Metadata/IValidateAntiforgeryMetadata.cs
+15 b/Diff for: ‎src/Http/Http.Abstractions/src/Metadata/IValidateAntiforgeryMetadata.cs
+15
diff --git a/Diff for: ‎src/Http/Http.Abstractions/src/PublicAPI.Unshipped.txt
+3 b/Diff for: ‎src/Http/Http.Abstractions/src/PublicAPI.Unshipped.txt
+3
diff --git a/Diff for: ‎src/Mvc/Mvc.Core/src/ApplicationModels/AntiforgeryApplicationModelProvider.cs
+59 b/Diff for: ‎src/Mvc/Mvc.Core/src/ApplicationModels/AntiforgeryApplicationModelProvider.cs
+59
diff --git a/Diff for: ‎src/Mvc/Mvc.Core/src/DependencyInjection/MvcCoreServiceCollectionExtensions.cs
+2 b/Diff for: ‎src/Mvc/Mvc.Core/src/DependencyInjection/MvcCoreServiceCollectionExtensions.cs
+2
diff --git a/Diff for: ‎src/Mvc/Mvc.ViewFeatures/src/AutoValidateAntiforgeryTokenAttribute.cs
+4-1 b/Diff for: ‎src/Mvc/Mvc.ViewFeatures/src/AutoValidateAntiforgeryTokenAttribute.cs
+4-1
diff --git a/Diff for: ‎src/Mvc/Mvc.ViewFeatures/src/Filters/AutoValidateAntiforgeryTokenAuthorizationFilter.cs
+3-2 b/Diff for: ‎src/Mvc/Mvc.ViewFeatures/src/Filters/AutoValidateAntiforgeryTokenAuthorizationFilter.cs
+3-2
@@ -0,0 +1,130 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Http.Abstractions.Metadata;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.Extensions.Logging;
+
+namespace Microsoft.AspNetCore.Antiforgery;
+
+internal sealed partial class AntiforgeryMiddleware
+{
+    private readonly IAntiforgery _antiforgery;
+    private readonly RequestDelegate _next;
+    private readonly ILogger<AntiforgeryMiddleware> _logger;
+
+    public AntiforgeryMiddleware(IAntiforgery antiforgery, RequestDelegate next, ILogger<AntiforgeryMiddleware> logger)
+    {
+        _antiforgery = antiforgery;
+        _next = next;
+        _logger = logger;
+    }
+
+    public Task Invoke(HttpContext context)
+    {
+        var endpoint = context.GetEndpoint();
+        if (endpoint is null)
+        {
+            return _next(context);
+        }
+
+        var antiforgeryMetadata = endpoint.Metadata.GetMetadata<IAntiforgeryMetadata>();
+        if (antiforgeryMetadata is null)
+        {
+            Log.NoAntiforgeryMetadataFound(_logger);
+            return _next(context);
+        }
+        
+        if (antiforgeryMetadata is not IValidateAntiforgeryMetadata validateAntiforgeryMetadata)
+        {
+            Log.IgnoreAntiforgeryMetadataFound(_logger);
+            return _next(context);
+        }
+
+        if (_antiforgery is DefaultAntiforgery defaultAntiforgery)
+        {
+            var valueTask = defaultAntiforgery.TryValidateAsync(context, validateAntiforgeryMetadata.ValidateIdempotentRequests);
+            if (valueTask.IsCompletedSuccessfully)
+            {
+                var (success, message) = valueTask.GetAwaiter().GetResult();
+                if (success)
+                {
+                    Log.AntiforgeryValidationSucceeded(_logger);
+                    return _next(context);
+                }
+                else
+                {
+                    Log.AntiforgeryValidationFailed(_logger, message);
+                    return WriteAntiforgeryInvalidResponseAsync(context, message);
+                }
+            }
+
+            return TryValidateAsyncAwaited(context, valueTask);
+        }
+        else
+        {
+            return ValidateNonDefaultAntiforgery(context);
+        }
+    }
+
+    private async Task TryValidateAsyncAwaited(HttpContext context, ValueTask<(bool success, string? message)> tryValidateTask)
+    {
+        var (success, message) = await tryValidateTask;
+        if (success)
+        {
+            Log.AntiforgeryValidationSucceeded(_logger);
+            await _next(context);
+        }
+        else
+        {
+            Log.AntiforgeryValidationFailed(_logger, message);
+            await context.Response.WriteAsJsonAsync(new ProblemDetails
+            {
+                Status = StatusCodes.Status400BadRequest,
+                Title = "Antiforgery validation failed",
+                Detail = message,
+            });
+        }
+    }
+
+    private async Task ValidateNonDefaultAntiforgery(HttpContext context)
+    {
+        if (await _antiforgery.IsRequestValidAsync(context))
+        {
+            Log.AntiforgeryValidationSucceeded(_logger);
+            await _next(context);
+        }
+        else
+        { 
+            Log.AntiforgeryValidationFailed(_logger, message: null);
+            await WriteAntiforgeryInvalidResponseAsync(context, message: null);
+        }
+    }
+
+    private static Task WriteAntiforgeryInvalidResponseAsync(HttpContext context, string? message)
+    {
+        context.Response.StatusCode = StatusCodes.Status400BadRequest;
+        return context.Response.WriteAsJsonAsync(new ProblemDetails
+        {
+            Status = StatusCodes.Status400BadRequest,
+            Title = "Antiforgery validation failed",
+            Detail = message,
+        });
+    }
+
+    private static partial class Log
+    {
+        [LoggerMessage(1, LogLevel.Debug, "No antiforgery metadata found on the endpoint.", EventName = "NoAntiforgeryMetadataFound")]
+        public static partial void NoAntiforgeryMetadataFound(ILogger logger);
+
+        [LoggerMessage(2, LogLevel.Debug, $"Antiforgery validation suppressed on endpoint because {nameof(IValidateAntiforgeryMetadata)} was not found.", EventName = "IgnoreAntiforgeryMetadataFound")]
+        public static partial void IgnoreAntiforgeryMetadataFound(ILogger logger);
+
+        [LoggerMessage(3, LogLevel.Debug, "Antiforgery validation completed successfully.", EventName = "AntiforgeryValidationSucceeded")]
+        public static partial void AntiforgeryValidationSucceeded(ILogger logger);
+
+        [LoggerMessage(4, LogLevel.Debug, "Antiforgery validation failed with message '{message}'.", EventName = "AntiforgeryValidationFailed")]
+        public static partial void AntiforgeryValidationFailed(ILogger logger, string? message);
+    }
+}
@@ -0,0 +1,22 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System;
+using Microsoft.AspNetCore.Antiforgery;
+using Microsoft.AspNetCore.Cors.Infrastructure;
+
+namespace Microsoft.AspNetCore.Builder;
+
+/// <summary>
+/// The <see cref="IApplicationBuilder"/> extensions for adding Antiforgery middleware support.
+/// </summary>
+public static class AntiforgeryMiddlewareExtensions
+{
+    /// <summary>
+    /// Adds the Antiforgery middleware to the middleware pipeline.
+    /// </summary>
+    /// <param name="app">The <see cref="IApplicationBuilder"/>.</param>
+    /// <returns>A reference to the <paramref name="app"/> after the operation has completed.</returns>
+    public static IApplicationBuilder UseAntiforgery(this IApplicationBuilder app)
+        => app.UseMiddleware<AntiforgeryMiddleware>();
+}
@@ -1,10 +1,8 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
-using System;
 using System.Diagnostics;
 using System.Diagnostics.CodeAnalysis;
-using System.Threading.Tasks;
 using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
@@ -100,35 +98,43 @@ public async Task<bool> IsRequestValidAsync(HttpContext httpContext)
             throw new ArgumentNullException(nameof(httpContext));
         }
 
+        var (result, _) = await TryValidateAsync(httpContext, validateIdempotentRequests: false);
+        return result;
+    }
+
+    internal async ValueTask<(bool success, string? errorMessage)> TryValidateAsync(HttpContext httpContext, bool validateIdempotentRequests)
+    {
         CheckSSLConfig(httpContext);
 
         var method = httpContext.Request.Method;
-        if (HttpMethods.IsGet(method) ||
+        if (
+            !validateIdempotentRequests &&
+            (HttpMethods.IsGet(method) ||
             HttpMethods.IsHead(method) ||
             HttpMethods.IsOptions(method) ||
-            HttpMethods.IsTrace(method))
+            HttpMethods.IsTrace(method)))
         {
             // Validation not needed for these request types.
-            return true;
+            return (true, null);
         }
 
         var tokens = await _tokenStore.GetRequestTokensAsync(httpContext);
         if (tokens.CookieToken == null)
         {
             _logger.MissingCookieToken(_options.Cookie.Name);
-            return false;
+            return (false, "Missing cookie token");
         }
 
         if (tokens.RequestToken == null)
         {
             _logger.MissingRequestToken(_options.FormFieldName, _options.HeaderName);
-            return false;
+            return (false, "Antiforgery token could not be found in the HTTP request.");
         }
 
         // Extract cookie & request tokens
         if (!TryDeserializeTokens(httpContext, tokens, out var deserializedCookieToken, out var deserializedRequestToken))
         {
-            return false;
+            return (false, "Unable to deserialize antiforgery tokens");
         }
 
         // Validate
@@ -147,7 +153,7 @@ public async Task<bool> IsRequestValidAsync(HttpContext httpContext)
             _logger.ValidationFailed(message!);
         }
 
-        return result;
+        return (result, message);
     }
 
     /// <inheritdoc />
 
@@ -1 +1,3 @@
 #nullable enable
+Microsoft.AspNetCore.Builder.AntiforgeryMiddlewareExtensions
+static Microsoft.AspNetCore.Builder.AntiforgeryMiddlewareExtensions.UseAntiforgery(this Microsoft.AspNetCore.Builder.IApplicationBuilder! app) -> Microsoft.AspNetCore.Builder.IApplicationBuilder!
@@ -0,0 +1,11 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+namespace Microsoft.AspNetCore.Http.Abstractions.Metadata;
+
+/// <summary>
+/// A marker interface which can be used to identify Antiforgery metadata.
+/// </summary>
+public interface IAntiforgeryMetadata
+{
+}
@@ -0,0 +1,15 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+namespace Microsoft.AspNetCore.Http.Abstractions.Metadata;
+
+/// <summary>
+/// A marker interface which can be used to identify a resource with Antiforgery validation enabled.
+/// </summary>
+public interface IValidateAntiforgeryMetadata : IAntiforgeryMetadata
+{
+    /// <summary>
+    /// Gets a value that determines if idempotent HTTP methods (<c>GET</c>, <c>HEAD</c>, <c>OPTIONS</c> and <c>TRACE</c>) are validated.
+    /// </summary>
+    bool ValidateIdempotentRequests { get; }
+}
@@ -1,3 +1,6 @@
 #nullable enable
 *REMOVED*abstract Microsoft.AspNetCore.Http.HttpResponse.ContentType.get -> string!
+Microsoft.AspNetCore.Http.Abstractions.Metadata.IAntiforgeryMetadata
+Microsoft.AspNetCore.Http.Abstractions.Metadata.IValidateAntiforgeryMetadata
+Microsoft.AspNetCore.Http.Abstractions.Metadata.IValidateAntiforgeryMetadata.ValidateIdempotentRequests.get -> bool
 abstract Microsoft.AspNetCore.Http.HttpResponse.ContentType.get -> string?
@@ -0,0 +1,59 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System.Linq;
+using Microsoft.AspNetCore.Http.Abstractions.Metadata;
+using Microsoft.AspNetCore.Mvc.Filters;
+using Microsoft.Extensions.Options;
+
+namespace Microsoft.AspNetCore.Mvc.ApplicationModels;
+
+/// <summary>
+/// An <see cref="IApplicationModelProvider"/> that removes antiforgery filters that appears as endpoint metadata.
+/// </summary>
+internal sealed class AntiforgeryApplicationModelProvider : IApplicationModelProvider
+{
+    private readonly MvcOptions _mvcOptions;
+
+    public AntiforgeryApplicationModelProvider(IOptions<MvcOptions> mvcOptions)
+    {
+        _mvcOptions = mvcOptions.Value;
+    }
+
+    // Run late in the pipeline so that we can pick up user configured AntiforgeryTokens.
+    public int Order { get; } = 1000;
+
+    public void OnProvidersExecuted(ApplicationModelProviderContext context)
+    {
+    }
+
+    public void OnProvidersExecuting(ApplicationModelProviderContext context)
+    {
+        if (!_mvcOptions.EnableEndpointRouting)
+        {
+            return;
+        }
+
+        foreach (var controller in context.Result.Controllers)
+        {
+            RemoveAntiforgeryFilters(controller.Filters, controller.Selectors);
+
+            foreach (var action in controller.Actions)
+            {
+                RemoveAntiforgeryFilters(action.Filters, action.Selectors);
+            }
+        }
+    }
+
+    private static void RemoveAntiforgeryFilters(IList<IFilterMetadata> filters, IList<SelectorModel> selectorModels)
+    {
+        for (var i = filters.Count - 1; i >= 0; i--)
+        {
+            if (filters[i] is IAntiforgeryMetadata antiforgeryMetadata &&
+                selectorModels.All(s => s.EndpointMetadata.Contains(antiforgeryMetadata)))
+            {
+                filters.RemoveAt(i);
+            }
+        }
+    }
+}
@@ -160,6 +160,8 @@ internal static void AddMvcCoreServices(IServiceCollection services)
         services.TryAddSingleton<ApplicationModelFactory>();
         services.TryAddEnumerable(
             ServiceDescriptor.Transient<IApplicationModelProvider, DefaultApplicationModelProvider>());
+        services.TryAddEnumerable(
+            ServiceDescriptor.Transient<IApplicationModelProvider, AntiforgeryApplicationModelProvider>());
         services.TryAddEnumerable(
             ServiceDescriptor.Transient<IApplicationModelProvider, ApiBehaviorApplicationModelProvider>());
         services.TryAddEnumerable(
 
@@ -4,6 +4,7 @@
 #nullable enable
 
 using System;
+using Microsoft.AspNetCore.Http.Abstractions.Metadata;
 using Microsoft.AspNetCore.Mvc.Filters;
 using Microsoft.AspNetCore.Mvc.ViewFeatures.Filters;
 using Microsoft.Extensions.DependencyInjection;
@@ -21,7 +22,7 @@ namespace Microsoft.AspNetCore.Mvc;
 /// a controller or action.
 /// </remarks>
 [AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = false, Inherited = true)]
-public class AutoValidateAntiforgeryTokenAttribute : Attribute, IFilterFactory, IOrderedFilter
+public class AutoValidateAntiforgeryTokenAttribute : Attribute, IFilterFactory, IOrderedFilter, IValidateAntiforgeryMetadata
 {
     /// <summary>
     /// Gets the order value for determining the order of execution of filters. Filters execute in
@@ -44,6 +45,8 @@ public class AutoValidateAntiforgeryTokenAttribute : Attribute, IFilterFactory,
     /// <inheritdoc />
     public bool IsReusable => true;
 
+    bool IValidateAntiforgeryMetadata.ValidateIdempotentRequests => false;
+
     /// <inheritdoc />
     public IFilterMetadata CreateInstance(IServiceProvider serviceProvider)
     {
 
@@ -6,13 +6,14 @@
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc.Filters;
 using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
 
 namespace Microsoft.AspNetCore.Mvc.ViewFeatures.Filters;
 
 internal class AutoValidateAntiforgeryTokenAuthorizationFilter : ValidateAntiforgeryTokenAuthorizationFilter
 {
-    public AutoValidateAntiforgeryTokenAuthorizationFilter(IAntiforgery antiforgery, ILoggerFactory loggerFactory)
-        : base(antiforgery, loggerFactory)
+    public AutoValidateAntiforgeryTokenAuthorizationFilter(IAntiforgery antiforgery, ILoggerFactory loggerFactory, IOptions<MvcOptions> mvcOptions)
+        : base(antiforgery, loggerFactory, mvcOptions)
     {
     }
Original file line number	Diff line number	Diff line change
`@@ -1,10 +1,8 @@`
`1`	`1`	`// Licensed to the .NET Foundation under one or more agreements.`
`2`	`2`	`// The .NET Foundation licenses this file to you under the MIT license.`
`3`	`3`
`4`		`-using System;`
`5`	`4`	`using System.Diagnostics;`
`6`	`5`	`using System.Diagnostics.CodeAnalysis;`
`7`		`-using System.Threading.Tasks;`
`8`	`6`	`using Microsoft.AspNetCore.Http;`
`9`	`7`	`using Microsoft.Extensions.Logging;`
`10`	`8`	`using Microsoft.Extensions.Options;`
`@@ -100,35 +98,43 @@ public async Task<bool> IsRequestValidAsync(HttpContext httpContext)`
`100`	`98`	`throw new ArgumentNullException(nameof(httpContext));`
`101`	`99`	`}`
`102`	`100`
	`101`	`+ var (result, _) = await TryValidateAsync(httpContext, validateIdempotentRequests: false);`
	`102`	`+ return result;`
	`103`	`+ }`
	`104`	`+`
	`105`	`+ internal async ValueTask<(bool success, string? errorMessage)> TryValidateAsync(HttpContext httpContext, bool validateIdempotentRequests)`
	`106`	`+ {`
`103`	`107`	`CheckSSLConfig(httpContext);`
`104`	`108`
`105`	`109`	`var method = httpContext.Request.Method;`
`106`		`- if (HttpMethods.IsGet(method) \|\|`
	`110`	`+ if (`
	`111`	`+ !validateIdempotentRequests &&`
	`112`	`+ (HttpMethods.IsGet(method) \|\|`
`107`	`113`	`HttpMethods.IsHead(method) \|\|`
`108`	`114`	`HttpMethods.IsOptions(method) \|\|`
`109`		`- HttpMethods.IsTrace(method))`
	`115`	`+ HttpMethods.IsTrace(method)))`
`110`	`116`	`{`
`111`	`117`	`// Validation not needed for these request types.`
`112`		`- return true;`
	`118`	`+ return (true, null);`
`113`	`119`	`}`
`114`	`120`
`115`	`121`	`var tokens = await _tokenStore.GetRequestTokensAsync(httpContext);`
`116`	`122`	`if (tokens.CookieToken == null)`
`117`	`123`	`{`
`118`	`124`	`_logger.MissingCookieToken(_options.Cookie.Name);`
`119`		`- return false;`
	`125`	`+ return (false, "Missing cookie token");`
`120`	`126`	`}`
`121`	`127`
`122`	`128`	`if (tokens.RequestToken == null)`
`123`	`129`	`{`
`124`	`130`	`_logger.MissingRequestToken(_options.FormFieldName, _options.HeaderName);`
`125`		`- return false;`
	`131`	`+ return (false, "Antiforgery token could not be found in the HTTP request.");`
`126`	`132`	`}`
`127`	`133`
`128`	`134`	`// Extract cookie & request tokens`
`129`	`135`	`if (!TryDeserializeTokens(httpContext, tokens, out var deserializedCookieToken, out var deserializedRequestToken))`
`130`	`136`	`{`
`131`		`- return false;`
	`137`	`+ return (false, "Unable to deserialize antiforgery tokens");`
`132`	`138`	`}`
`133`	`139`
`134`	`140`	`// Validate`
`@@ -147,7 +153,7 @@ public async Task<bool> IsRequestValidAsync(HttpContext httpContext)`
`147`	`153`	`_logger.ValidationFailed(message!);`
`148`	`154`	`}`
`149`	`155`
`150`		`- return result;`
	`156`	`+ return (result, message);`
`151`	`157`	`}`
`152`	`158`
`153`	`159`	`/// <inheritdoc />`
Original file line number	Diff line number	Diff line change
`@@ -1 +1,3 @@`
`1`	`1`	`#nullable enable`
	`2`	`+Microsoft.AspNetCore.Builder.AntiforgeryMiddlewareExtensions`
	`3`	`+static Microsoft.AspNetCore.Builder.AntiforgeryMiddlewareExtensions.UseAntiforgery(this Microsoft.AspNetCore.Builder.IApplicationBuilder! app) -> Microsoft.AspNetCore.Builder.IApplicationBuilder!`
Original file line number	Diff line number	Diff line change
`@@ -6,13 +6,14 @@`
`6`	`6`	`using Microsoft.AspNetCore.Http;`
`7`	`7`	`using Microsoft.AspNetCore.Mvc.Filters;`
`8`	`8`	`using Microsoft.Extensions.Logging;`
	`9`	`+using Microsoft.Extensions.Options;`
`9`	`10`
`10`	`11`	`namespace Microsoft.AspNetCore.Mvc.ViewFeatures.Filters;`
`11`	`12`
`12`	`13`	`internal class AutoValidateAntiforgeryTokenAuthorizationFilter : ValidateAntiforgeryTokenAuthorizationFilter`
`13`	`14`	`{`
`14`		`- public AutoValidateAntiforgeryTokenAuthorizationFilter(IAntiforgery antiforgery, ILoggerFactory loggerFactory)`
`15`		`- : base(antiforgery, loggerFactory)`
	`15`	`+ public AutoValidateAntiforgeryTokenAuthorizationFilter(IAntiforgery antiforgery, ILoggerFactory loggerFactory, IOptions<MvcOptions> mvcOptions)`
	`16`	`+ : base(antiforgery, loggerFactory, mvcOptions)`
`16`	`17`	`{`
`17`	`18`	`}`
`18`	`19`