Add antiforgery token to the HTTP request headers for the Blazor UI

5 years ago · 3a7309705f
parent e0afff836d
commit 3a7309705f
1 changed files with 32 additions and 1 deletions
--- a/framework/src/Volo.Abp.AspNetCore.Components.WebAssembly/Volo/Abp/AspNetCore/Components/WebAssembly/AbpBlazorClientHttpMessageHandler.cs
+++ b/framework/src/Volo.Abp.AspNetCore.Components.WebAssembly/Volo/Abp/AspNetCore/Components/WebAssembly/AbpBlazorClientHttpMessageHandler.cs
@ -3,6 +3,7 @@ using System.Net.Http;
 using System.Net.Http.Headers;
 using System.Threading;
 using System.Threading.Tasks;
+using Microsoft.Extensions.Configuration;
 using Microsoft.JSInterop;
 using Volo.Abp.DependencyInjection;

@ -12,14 +13,28 @@ namespace Volo.Abp.AspNetCore.Components.WebAssembly
    {
        private readonly IJSRuntime _jsRuntime;

-        public AbpBlazorClientHttpMessageHandler(IJSRuntime jsRuntime)
+        private readonly ICookieService _cookieService;
+
+        private readonly IConfiguration _configuration;
+
+        private const string AntiForgeryCookieName = "XSRF-TOKEN";
+
+        private const string AntiForgeryHeaderName = "RequestVerificationToken";
+
+        public AbpBlazorClientHttpMessageHandler(
+            IJSRuntime jsRuntime,
+            ICookieService cookieService,
+            IConfiguration configuration)
        {
            _jsRuntime = jsRuntime;
+            _cookieService = cookieService;
+            _configuration = configuration;
        }

        protected async override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
        {
            await SetLanguageAsync(request, cancellationToken);
+            await SetAntiForgeryTokenAsync(request);

            return await base.SendAsync(request, cancellationToken);
        }
@ -38,5 +53,21 @@ namespace Volo.Abp.AspNetCore.Components.WebAssembly
                request.Headers.AcceptLanguage.Add(new StringWithQualityHeaderValue(selectedLanguage));
            }
        }
+
+        private async Task SetAntiForgeryTokenAsync(HttpRequestMessage request)
+        {
+            var selfUri = new Uri(_configuration["App:SelfUrl"]);
+
+            if (request.Method == HttpMethod.Get || request.Method == HttpMethod.Head || request.RequestUri.Host != selfUri.Host || request.RequestUri.Port != selfUri.Port)
+            {
+                return;
+            }
+
+            var token = await _cookieService.GetAsync(AntiForgeryCookieName);
+            if (!token.IsNullOrWhiteSpace())
+            {
+                request.Headers.Add(AntiForgeryHeaderName, token);
+            }
+        }
    }
 }