Allow user to specify antiforgery request token source

[MaceWindu]

Allow user to specify antiforgery request token source

• You've read the Contributor Guide and Code of Conduct.
• You've included unit or integration tests for your change, where applicable.
• You've included inline docs for your change, where applicable.
• There's an open issue for the PR that you are making. If you'd like to propose a new feature or change, please open an issue to discuss the change or find an existing issue.

Description

Currently default antiforgery implementation looks for antiforgery request token in header and when it is not found looks for token in request body (only for form requests).

This PR adds global and endpoint-level option to specify where to look for token. This is especialy useful when you want to prevent default antiforgery from reading request body as it could lead to:

• performance issues on large requests (forms with file uploads)
• request body stream cannot be read twice and will result in failure from custom request parser

Fixes #51912

Note that I've added both global and endpoint-level options. If we decide to keep only one, I will remove second.

[ghost]

Thanks for your PR, @MaceWindu. Someone from the team will get assigned to your PR shortly and we'll get it reviewed.

[MaceWindu]

Mock context doesn't have Features initialized. It is now needed to endpoint-level source configuration. Some mocked tests in other projects could probably fail for same reason as I run tests only for Antiforgery project

[MaceWindu]

BTW, it looks like documentation bug to me as there is no property setter to make it "Gets or sets"

[mkArtakMSFT]

Thanks for your PR, @MaceWindu.
@halter73 can you please review this? Thanks!

[javiercn]

Overall the change looks good, but needs more integration tests. It is hard to asses the correctness of the change based on the tests in DefaultAntiforgeryTokenStore and this kind of change warrants some tests here

We need to make sure we cover the following combos:

• HeaderOrBody (Token present / Token not present) -> (should already be covered by existing tests, point them on the PR if possible).
• HeaderOnly (Token present / Token not present) -> This is the new behavior, so we need to get a clear understanding that the implementation matches our expectations.
  • We should only check the header during validation, but nothing should change for generation.
• Body only (Token present / Token not present) -> This should match the current semantics and skip the header altogether.

This also needs to go through API review @halter73.

[MaceWindu]

It is hard to asses the correctness of the change based on the tests in DefaultAntiforgeryTokenStore and this kind of change warrants some tests here

Could you provide more details on expected tests? I don't see how AntiforgeryMiddlewareTest related to this change as it tests how AntiforgeryMiddleware interacts with IAntiforgery interface using mocks and don't use any code from this PR. All tests for affected functionality as I can see located in DefaultAntiforgeryTokenStoreTest

HeaderOrBody (Token present / Token not present) -> (should already be covered by existing tests, point them on the PR if possible).

• with token: GetRequestTokens_HeaderTokenTakensPriority_OverFormToken
• without: GetRequestTokens_BothHeaderValueAndFormFieldsEmpty_ReturnsNullTokens

HeaderOnly (Token present / Token not present) -> This is the new behavior, so we need to get a clear understanding that the implementation matches our expectations.

• with token: added GetRequestTokens_FormTokenDisabled_ReturnsHeaderToken
• without: GetRequestTokens_FormTokenDisabled_ReturnsNullToken

We should only check the header during validation, but nothing should change for generation.

what kind of test you expect here?

Body only (Token present / Token not present) -> This should match the current semantics and skip the header altogether.
added GetRequestTokens_FormTokenDisabled_ReturnsHeaderToken test

• with token: GetRequestTokens_HeaderTokenDisabled_FallsBackToFormToken, added GetRequestTokens_HeaderTokenDisabled_ReturnsFormToken
• without: added GetRequestTokens_HeaderTokenDisabled_ReturnsNull

[ghost]

Looks like this PR hasn't been active for some time and the codebase could have been changed in the meantime.
To make sure no conflicting changes have occurred, please rerun validation before merging. You can do this by leaving an /azp run comment here (requires commit rights), or by simply closing and reopening.

[halter73]

This also needs to go through API review @halter73.

@MaceWindu do you mind filling out and submitting the API proposal issue template for the new public AntiforgeryRequestTokenSource flags enum and the corresponding RequestTokenSource properties on AntiforgeryOptions and RequireAntiforgeryTokenAttribute? You can look at api-approved labeled issues for more examples.

[halter73]

Should we just make this nullable so anyone can determine the difference between unconfigured and explicitly HeaderOrFormBody? Then we can go back to just using auto properties.

[MaceWindu]

That was initial design, but such types are not supported by metadata

[MaceWindu]

@halter73 done #52281

[halter73]

What if you have something like this?

[RequireAntiforgeryToken(RequestTokenSource = AntiforgeryRequestTokenSource.Header)]
public class MyController
{
    [HttpPost]
    [RequireAntiforgeryToken]
    public IActionResult Post() { ... }
}

Based on this line, it looks like it will resolve the most specific RequireAntiforgeryTokenAttribute which would be the one on the Post() method and see that the RequestTokenSourceValue == null and fall back to _options.RequestTokenSource which is HeaderOrFormBody when it ought to be using Header as specified by the attribute on MyController.

[MaceWindu]

I will look into this scenario

[MaceWindu]

@halter73, code updated to latest API design

[halter73]

Thank you @MaceWindu!