Closed
Description
DefaultAntiforgeryStateProvider contains the following comment:
// Automatically flow the Request token to server/wasm through
// persistent component state. This guarantees that the antiforgery
// token is available on the interactive components, even when they
// don't have access to the request.However, from what I can tell, this will never happen because the logic doesn't work. It will always persist a null value for the token. This is because the value it persists is _currentToken, but that value is never assigned except via a call to TryTakeFromJson. So nothing ever sets an initial non-null value to be persisted. If I'm missing something and this actually does work (though it didn't seem to when I tried it to validate) then sorry!
Broader thoughts:
- Obviously this indicates some missing E2E tests
- If neither we nor anyone else has tried to use this for its intended purpose, it suggests maybe the feature isn't required. If that's the case then instead of maintaining support for it forever, we should roll it back until we have clearer evidence that it would really be used in mainstream cases.