-
Notifications
You must be signed in to change notification settings - Fork 10.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
# Ensure antiforgery token flows to Blazor WebAssembly The change makes sure that we persist the Antiforgery token during prerendering so that it is available to WebAssembly components. ## Description * When using cookie authentication it is necessary to use antiforgery protection to prevent cross-site request forgery attacks. * Blazor Webassembly interactive components must get access to the request antiforgery token to attach it to any outgoing API call. * The antiforgery request token was not flowing from the server to the client correctly. * This change enables calling APIs from web assembly to the server safely. Fixes #50900 ## Customer Impact .NET 8.0 customers who have created Blazor Web Apps will fail to call APIs from webassembly components, as they won't be able to attach the required antiforgery token. ## Regression? - [ ] Yes - [X] No [If yes, specify the version the behavior has regressed from] ## Risk - [ ] High - [ ] Medium - [X] Low The fix is simple and we added an E2E test to cover the scenario. ## Verification - [ ] Manual (required) - [X] Automated ## Packaging changes reviewed? - [ ] Yes - [ ] No - [X] N/A ---- ## When servicing release/2.1 - [ ] Make necessary changes in eng/PatchConfig.props
- Loading branch information
Showing
6 changed files
with
100 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
4 changes: 4 additions & 0 deletions
4
...ents.TestServer/RazorComponents/Pages/Forms/FormRunningOnWasmCanUseAntiforgeryToken.razor
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| @page "/forms/antiforgery-wasm" | ||
| <h3>FormRunningOnWasmCanUseAntiforgeryToken</h3> | ||
|
|
||
| <TestContentPackage.WasmFormComponent/> |
74 changes: 74 additions & 0 deletions
74
src/Components/test/testassets/TestContentPackage/WasmFormComponent.razor
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,74 @@ | ||
| @attribute [RenderModeInteractiveWebAssembly] | ||
| @using Microsoft.AspNetCore.Components.Forms | ||
| @using System.Net.Http | ||
| <h3>WasmFormComponent</h3> | ||
|
|
||
| <form @formname="WasmForm" @onsubmit="SubmitForm"> | ||
| <input id="Value" @bind="_value" name="Value" /> | ||
| @if (OperatingSystem.IsBrowser()) | ||
| { | ||
| <input id="send" type="submit" value="Send" /> | ||
| } | ||
| <AntiforgeryToken /> | ||
| </form> | ||
|
|
||
| @if (_posted) | ||
| { | ||
| @if (_succeeded) | ||
| { | ||
| <p id="pass">Posting the value succeded.</p> | ||
| } | ||
| else | ||
| { | ||
| <p>Posting the value failed.</p> | ||
| } | ||
| } | ||
| else | ||
| { | ||
| <p>Antiforgery: @_token</p> | ||
| } | ||
|
|
||
| @code { | ||
| string _value; | ||
| string _token; | ||
| bool _succeeded; | ||
| bool _posted; | ||
|
|
||
| [Inject] public AntiforgeryStateProvider AntiforgeryState { get; set; } | ||
| [Inject] public NavigationManager Navigation { get; set; } | ||
|
|
||
| protected override void OnInitialized() | ||
| { | ||
| if (OperatingSystem.IsBrowser()) | ||
| { | ||
| var antiforgery = AntiforgeryState.GetAntiforgeryToken(); | ||
| _token = antiforgery.Value; | ||
| } | ||
| } | ||
|
|
||
| private async Task SubmitForm() | ||
| { | ||
| if (OperatingSystem.IsBrowser()) | ||
| { | ||
| var client = new HttpClient() { BaseAddress = new Uri(Navigation.BaseUri) }; | ||
| var antiforgery = AntiforgeryState.GetAntiforgeryToken(); | ||
| if (antiforgery != null) | ||
| { | ||
| _posted = true; | ||
| var request = new HttpRequestMessage(HttpMethod.Post, "api/antiforgery-form"); | ||
| var content = new FormUrlEncodedContent(new KeyValuePair<string, string>[] { new ("Value", _value) }); | ||
| request.Content = content; | ||
| request.Headers.Add("RequestVerificationToken", antiforgery.Value); | ||
| var response = await client.SendAsync(request); | ||
| if (response.IsSuccessStatusCode) | ||
| { | ||
| _succeeded = true; | ||
| } | ||
| else | ||
| { | ||
| _succeeded = false; | ||
| } | ||
| } | ||
| } | ||
| } | ||
| } |