Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Manual Anti-Forgery Token Creation and Validation in ASP.NET 5

I am playing around with ASP vnext and AngularJS. I have set up a Web API, am using some controllers and am using angular to do some web-magic.

I have followed most of this guide to get my project up and running: http://stephenwalther.com/archive/2015/01/29/asp-net-5-and-angularjs-part-6-security

... which works fine. I have set up my db and such and I have things working. I have the identity framework set up too but I am not using it as of yet.

I want to post some data to the WebAPI. Which also works fine, but now I want to do it while using anti forgery tokens. I have googled a lot and I guess this makes the most sense: novablog

However: this uses System.Web.Helpers to create the tokens and validate them. They are not available anymore in vnext. I cannot figure out what to use to create and validate the tokens now.

Any ideas?

like image 752
Stefan Avatar asked Mar 30 '15 18:03

Stefan


1 Answers

Following is an example from the ASP.NET 5's MusicStore sample:

https://github.com/aspnet/MusicStore/blob/master/src/MusicStore/Controllers/ShoppingCartController.cs#L62

Snippet from the above link(Note that you can use the [FromServices] AntiForgery antiforgery as a parameter to the action if you do no like how the link does above):

[HttpPost]
public async Task<IActionResult> RemoveFromCart(int id)
{
    var formParameters = await Context.Request.ReadFormAsync();
    var requestVerification = formParameters["RequestVerificationToken"];
    string cookieToken = null;
    string formToken = null;

    if (!string.IsNullOrWhiteSpace(requestVerification))
    {
        var tokens = requestVerification.Split(':');

        if (tokens != null && tokens.Length == 2)
        {
            cookieToken = tokens[0];
            formToken = tokens[1];
        }
    }

    var antiForgery = Context.RequestServices.GetService<AntiForgery>();
    antiForgery.Validate(Context, new AntiForgeryTokenSet(formToken, cookieToken));
    ......
like image 108
Kiran Avatar answered Sep 18 '22 17:09

Kiran