Playing around with validation in SignalR

BrennanConroy · BrennanConroy · commit d803d95a6685 · 2025-03-13T18:42:01.000-07:00
diff --git a/src/SignalR/samples/SignalRSamples/Hubs/Chat.cs b/src/SignalR/samples/SignalRSamples/Hubs/Chat.cs
@@ -1,6 +1,7 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
+using System.ComponentModel.DataAnnotations;
 using Microsoft.AspNetCore.SignalR;
 
 namespace SignalRSamples.Hubs;
@@ -19,7 +20,7 @@ public override Task OnDisconnectedAsync(Exception exception)
         return Clients.All.SendAsync("Send", $"{name} left the chat");
     }
 
-    public Task Send(string name, string message)
+    public Task Send([StringLength(10)] string name, [Required] string message)
     {
         return Clients.All.SendAsync("Send", $"{name}: {message}");
     }
diff --git a/src/SignalR/samples/SignalRSamples/Startup.cs b/src/SignalR/samples/SignalRSamples/Startup.cs
@@ -21,6 +21,8 @@ public void ConfigureServices(IServiceCollection services)
         services.AddSignalR()
         .AddMessagePackProtocol();
         //.AddStackExchangeRedis();
+
+        services.AddValidation();
     }
 
     // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
diff --git a/src/SignalR/server/Core/src/HubConnectionHandler.cs b/src/SignalR/server/Core/src/HubConnectionHandler.cs
@@ -5,6 +5,7 @@
 using System.Diagnostics.CodeAnalysis;
 using System.Linq;
 using Microsoft.AspNetCore.Connections;
+using Microsoft.AspNetCore.Http.Validation;
 using Microsoft.AspNetCore.SignalR.Internal;
 using Microsoft.AspNetCore.SignalR.Protocol;
 using Microsoft.Extensions.DependencyInjection;
@@ -52,7 +53,8 @@ public HubConnectionHandler(HubLifetimeManager<THub> lifetimeManager,
                                 IOptions<HubOptions<THub>> hubOptions,
                                 ILoggerFactory loggerFactory,
                                 IUserIdProvider userIdProvider,
-                                IServiceScopeFactory serviceScopeFactory
+                                IServiceScopeFactory serviceScopeFactory,
+                                IOptions<ValidationOptions>? validationOptions
     )
     {
         _protocolResolver = protocolResolver;
@@ -101,7 +103,8 @@ IServiceScopeFactory serviceScopeFactory
             disableImplicitFromServiceParameters,
             new Logger<DefaultHubDispatcher<THub>>(loggerFactory),
             hubFilters,
-            lifetimeManager);
+            lifetimeManager,
+            validationOptions?.Value);
     }
 
     /// <inheritdoc />
diff --git a/src/SignalR/server/Core/src/Internal/DefaultHubDispatcher.cs b/src/SignalR/server/Core/src/Internal/DefaultHubDispatcher.cs
@@ -1,19 +1,23 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
+using System.ComponentModel.DataAnnotations;
 using System.Diagnostics;
 using System.Diagnostics.CodeAnalysis;
 using System.Linq;
 using System.Reflection;
 using System.Security.Claims;
+using System.Text.Json;
 using System.Threading.Channels;
 using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Http.Validation;
 using Microsoft.AspNetCore.Internal;
 using Microsoft.AspNetCore.Shared;
 using Microsoft.AspNetCore.SignalR.Protocol;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Internal;
 using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
 using Log = Microsoft.AspNetCore.SignalR.Internal.DefaultHubDispatcherLog;
 
 namespace Microsoft.AspNetCore.SignalR.Internal;
@@ -32,6 +36,7 @@ internal sealed partial class DefaultHubDispatcher<[DynamicallyAccessedMembers(H
     private readonly Func<HubLifetimeContext, Task>? _onConnectedMiddleware;
     private readonly Func<HubLifetimeContext, Exception?, Task>? _onDisconnectedMiddleware;
     private readonly HubLifetimeManager<THub> _hubLifetimeManager;
+    private readonly ValidationOptions? _validationOptions;
 
     [FeatureSwitchDefinition("Microsoft.AspNetCore.SignalR.Hub.IsCustomAwaitableSupported")]
     [FeatureGuard(typeof(RequiresDynamicCodeAttribute))]
@@ -40,13 +45,15 @@ internal sealed partial class DefaultHubDispatcher<[DynamicallyAccessedMembers(H
         AppContext.TryGetSwitch("Microsoft.AspNetCore.SignalR.Hub.IsCustomAwaitableSupported", out bool customAwaitableSupport) ? customAwaitableSupport : true;
 
     public DefaultHubDispatcher(IServiceScopeFactory serviceScopeFactory, IHubContext<THub> hubContext, bool enableDetailedErrors,
-        bool disableImplicitFromServiceParameters, ILogger<DefaultHubDispatcher<THub>> logger, List<IHubFilter>? hubFilters, HubLifetimeManager<THub> lifetimeManager)
+        bool disableImplicitFromServiceParameters, ILogger<DefaultHubDispatcher<THub>> logger, List<IHubFilter>? hubFilters, HubLifetimeManager<THub> lifetimeManager,
+        ValidationOptions? validationOptions)
     {
         _serviceScopeFactory = serviceScopeFactory;
         _hubContext = hubContext;
         _enableDetailedErrors = enableDetailedErrors;
         _logger = logger;
         _hubLifetimeManager = lifetimeManager;
+        _validationOptions = validationOptions;
         DiscoverHubMethods(disableImplicitFromServiceParameters);
 
         var count = hubFilters?.Count ?? 0;
@@ -343,6 +350,11 @@ await SendInvocationError(hubMethodInvocationMessage.InvocationId, connection,
                 return true;
             }
 
+            if (!await ValidateArguments(descriptor, hubMethodInvocationMessage, connection))
+            {
+                return true;
+            }
+
             try
             {
                 var clientStreamLength = hubMethodInvocationMessage.StreamIds?.Length ?? 0;
@@ -687,6 +699,41 @@ private static async Task<bool> IsHubMethodAuthorizedSlow(IServiceProvider provi
         return authorizationResult.Succeeded;
     }
 
+    private async Task<bool> ValidateArguments(HubMethodDescriptor hubMethodDescriptor, HubMethodInvocationMessage hubMethodInvocationMessage, HubConnectionContext connection)
+    {
+        if (_validationOptions == null || _validationOptions.Resolvers.Count == 0)
+        {
+            return true;
+        }
+
+        var validateContext = new ValidateContext()
+        {
+            ValidationOptions = _validationOptions,
+            CurrentValidationPath = $"{_fullHubName}.{hubMethodInvocationMessage.Target}",
+        };
+
+        for (var i = 0; i < hubMethodDescriptor.ParameterInfos.Count; i++)
+        {
+            validateContext.ValidationContext = new ValidationContext(hubMethodInvocationMessage.Arguments[i], serviceProvider: null, items: null)
+            {
+                DisplayName = hubMethodDescriptor.ParameterInfos[i].Name,
+            };
+            if (_validationOptions.TryGetValidatableParameterInfo(hubMethodDescriptor.ParameterInfos[i], out var parameterValidator))
+            {
+                await parameterValidator.ValidateAsync(hubMethodInvocationMessage.Arguments[i], validateContext, default);
+            }
+        }
+
+        if (validateContext.ValidationErrors is { Count: > 0 })
+        {
+            await SendInvocationError(hubMethodInvocationMessage.InvocationId, connection,
+                    $"Failed to invoke '{hubMethodInvocationMessage.Target}' because of validation errors: {JsonSerializer.Serialize(validateContext.ValidationErrors)}");
+            return false;
+        }
+
+        return true;
+    }
+
     private async Task<bool> ValidateInvocationMode(HubMethodDescriptor hubMethodDescriptor, bool isStreamResponse,
         HubMethodInvocationMessage hubMethodInvocationMessage, HubConnectionContext connection)
     {
diff --git a/src/SignalR/server/Core/src/Internal/HubMethodDescriptor.cs b/src/SignalR/server/Core/src/Internal/HubMethodDescriptor.cs
@@ -58,7 +58,7 @@ public HubMethodDescriptor(ObjectMethodExecutor methodExecutor, IServiceProvider
         }
 
         // Take out synthetic arguments that will be provided by the server, this list will be given to the protocol parsers
-        ParameterTypes = methodExecutor.MethodParameters.Where((p, index) =>
+        ParameterInfos = methodExecutor.MethodParameters.Where((p, index) =>
         {
             // Only streams can take CancellationTokens currently
             if (IsStreamResponse && p.ParameterType == typeof(CancellationToken))
@@ -134,7 +134,9 @@ void ThrowIfMarked(bool marked)
             }
 
             return true;
-        }).Select(p => p.ParameterType).ToArray();
+        }).ToArray();
+
+        ParameterTypes = ParameterInfos.Select(p => p.ParameterType).ToArray();
 
         if (HasSyntheticArguments)
         {
@@ -164,6 +166,8 @@ private bool MarkServiceParameter(int index)
 
     public IReadOnlyList<Type> ParameterTypes { get; }
 
+    public IReadOnlyList<ParameterInfo> ParameterInfos { get; }
+
     public IReadOnlyList<Type>? OriginalParameterTypes { get; }
 
     public Type NonAsyncReturnType { get; }

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,7 @@`
`1`	`1`	`// Licensed to the .NET Foundation under one or more agreements.`
`2`	`2`	`// The .NET Foundation licenses this file to you under the MIT license.`
`3`	`3`
	`4`	`+using System.ComponentModel.DataAnnotations;`
`4`	`5`	`using Microsoft.AspNetCore.SignalR;`
`5`	`6`
`6`	`7`	`namespace SignalRSamples.Hubs;`
`@@ -19,7 +20,7 @@ public override Task OnDisconnectedAsync(Exception exception)`
`19`	`20`	`return Clients.All.SendAsync("Send", $"{name} left the chat");`
`20`	`21`	`}`
`21`	`22`
`22`		`- public Task Send(string name, string message)`
	`23`	`+ public Task Send([StringLength(10)] string name, [Required] string message)`
`23`	`24`	`{`
`24`	`25`	`return Clients.All.SendAsync("Send", $"{name}: {message}");`
`25`	`26`	`}`
Original file line number	Diff line number	Diff line change
`@@ -21,6 +21,8 @@ public void ConfigureServices(IServiceCollection services)`
`21`	`21`	`services.AddSignalR()`
`22`	`22`	`.AddMessagePackProtocol();`
`23`	`23`	`//.AddStackExchangeRedis();`
	`24`	`+`
	`25`	`+ services.AddValidation();`
`24`	`26`	`}`
`25`	`27`
`26`	`28`	`// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.`
Original file line number	Diff line number	Diff line change
`@@ -58,7 +58,7 @@ public HubMethodDescriptor(ObjectMethodExecutor methodExecutor, IServiceProvider`
`58`	`58`	`}`
`59`	`59`
`60`	`60`	`// Take out synthetic arguments that will be provided by the server, this list will be given to the protocol parsers`
`61`		`- ParameterTypes = methodExecutor.MethodParameters.Where((p, index) =>`
	`61`	`+ ParameterInfos = methodExecutor.MethodParameters.Where((p, index) =>`
`62`	`62`	`{`
`63`	`63`	`// Only streams can take CancellationTokens currently`
`64`	`64`	`if (IsStreamResponse && p.ParameterType == typeof(CancellationToken))`
`@@ -134,7 +134,9 @@ void ThrowIfMarked(bool marked)`
`134`	`134`	`}`
`135`	`135`
`136`	`136`	`return true;`
`137`		`- }).Select(p => p.ParameterType).ToArray();`
	`137`	`+ }).ToArray();`
	`138`	`+`
	`139`	`+ ParameterTypes = ParameterInfos.Select(p => p.ParameterType).ToArray();`
`138`	`140`
`139`	`141`	`if (HasSyntheticArguments)`
`140`	`142`	`{`
`@@ -164,6 +166,8 @@ private bool MarkServiceParameter(int index)`
`164`	`166`
`165`	`167`	`public IReadOnlyList<Type> ParameterTypes { get; }`
`166`	`168`
	`169`	`+ public IReadOnlyList<ParameterInfo> ParameterInfos { get; }`
	`170`	`+`
`167`	`171`	`public IReadOnlyList<Type>? OriginalParameterTypes { get; }`
`168`	`172`
`169`	`173`	`public Type NonAsyncReturnType { get; }`