Check ABP's antiforgery cookie to determine the validation logic.

framework/src/Volo.Abp.AspNetCore.Mvc/Volo/Abp/AspNetCore/Mvc/AntiForgery/AbpAntiForgeryCookieNameProvider.cs

@@ -4,12 +4,12 @@ using Volo.Abp.DependencyInjection;
 
 namespace Volo.Abp.AspNetCore.Mvc.AntiForgery
 {
-    public class AbpAntiForgeryAuthCookieNameProvider : ITransientDependency
+    public class AbpAntiForgeryCookieNameProvider : ITransientDependency
     {
         private readonly IOptionsSnapshot<CookieAuthenticationOptions> _namedOptionsAccessor;
         private readonly AbpAntiForgeryOptions _abpAntiForgeryOptions;
 
-        public AbpAntiForgeryAuthCookieNameProvider(
+        public AbpAntiForgeryCookieNameProvider(
             IOptionsSnapshot<CookieAuthenticationOptions> namedOptionsAccessor,
             IOptions<AbpAntiForgeryOptions> abpAntiForgeryOptions)
         {
@@ -17,9 +17,14 @@ namespace Volo.Abp.AspNetCore.Mvc.AntiForgery
             _abpAntiForgeryOptions = abpAntiForgeryOptions.Value;
         }
 
-        public virtual string GetNameOrNull()
+        public virtual string GetAuthCookieNameOrNull()
         {
             return _namedOptionsAccessor.Get(_abpAntiForgeryOptions.AuthCookieSchemaName)?.Cookie?.Name;
         }
+
+        public virtual string GetAntiForgeryCookieNameOrNull()
+        {
+            return _abpAntiForgeryOptions.TokenCookie.Name;
+        }
     }
 }

framework/src/Volo.Abp.AspNetCore.Mvc/Volo/Abp/AspNetCore/Mvc/AntiForgery/AbpAutoValidateAntiforgeryTokenAuthorizationFilter.cs

@@ -2,29 +2,24 @@ using System;
 using Microsoft.AspNetCore.Antiforgery;
 using Microsoft.AspNetCore.Mvc.Filters;
 using Microsoft.Extensions.Logging;
-using Microsoft.Extensions.Options;
 using Volo.Abp.DependencyInjection;
 
 namespace Volo.Abp.AspNetCore.Mvc.AntiForgery
 {
     public class AbpAutoValidateAntiforgeryTokenAuthorizationFilter : AbpValidateAntiforgeryTokenAuthorizationFilter, ITransientDependency
     {
-        private readonly AntiforgeryOptions _antiforgeryOptions;
-        private readonly AbpAntiForgeryAuthCookieNameProvider _antiForgeryAuthCookieNameProvider;
+        private readonly AbpAntiForgeryCookieNameProvider _antiForgeryCookieNameProvider;
 
         public AbpAutoValidateAntiforgeryTokenAuthorizationFilter(
             IAntiforgery antiforgery,
-            IOptions<AntiforgeryOptions> antiforgeryOptions,
-            AbpAntiForgeryAuthCookieNameProvider antiForgeryAuthCookieNameProvider,
+            AbpAntiForgeryCookieNameProvider antiForgeryCookieNameProvider,
             ILogger<AbpValidateAntiforgeryTokenAuthorizationFilter> logger)
             : base(
                 antiforgery,
-                antiforgeryOptions,
-                antiForgeryAuthCookieNameProvider,
+                antiForgeryCookieNameProvider,
                 logger)
         {
-            _antiForgeryAuthCookieNameProvider = antiForgeryAuthCookieNameProvider;
-            _antiforgeryOptions = antiforgeryOptions.Value;
+            _antiForgeryCookieNameProvider = antiForgeryCookieNameProvider;
         }
 
         protected override bool ShouldValidate(AuthorizationFilterContext context)
@@ -34,7 +29,7 @@ namespace Volo.Abp.AspNetCore.Mvc.AntiForgery
                 return false;
             }
 
-            var authCookieName = _antiForgeryAuthCookieNameProvider.GetNameOrNull();
+            var authCookieName = _antiForgeryCookieNameProvider.GetAuthCookieNameOrNull();
 
             //Always perform antiforgery validation when request contains authentication cookie
             if (authCookieName != null &&
@@ -43,10 +38,13 @@ namespace Volo.Abp.AspNetCore.Mvc.AntiForgery
                 return true;
             }
 
+            var antiForgeryCookieName = _antiForgeryCookieNameProvider.GetAntiForgeryCookieNameOrNull();
+
             //No need to validate if antiforgery cookie is not sent.
             //That means the request is sent from a non-browser client.
             //See https://github.com/aspnet/Antiforgery/issues/115
-            if (!context.HttpContext.Request.Cookies.ContainsKey(_antiforgeryOptions.Cookie.Name))
+            if (antiForgeryCookieName != null &&
+                !context.HttpContext.Request.Cookies.ContainsKey(antiForgeryCookieName))
             {
                 return false;
             }

framework/src/Volo.Abp.AspNetCore.Mvc/Volo/Abp/AspNetCore/Mvc/AntiForgery/AbpValidateAntiforgeryTokenAuthorizationFilter.cs

@@ -5,7 +5,6 @@ using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.Filters;
 using Microsoft.AspNetCore.Mvc.ViewFeatures;
 using Microsoft.Extensions.Logging;
-using Microsoft.Extensions.Options;
 using Volo.Abp.DependencyInjection;
 
 namespace Volo.Abp.AspNetCore.Mvc.AntiForgery
@@ -13,20 +12,17 @@ namespace Volo.Abp.AspNetCore.Mvc.AntiForgery
     public class AbpValidateAntiforgeryTokenAuthorizationFilter : IAsyncAuthorizationFilter, IAntiforgeryPolicy, ITransientDependency
     {
         private IAntiforgery _antiforgery;
-        private readonly AntiforgeryOptions _antiforgeryOptions;
-        private readonly AbpAntiForgeryAuthCookieNameProvider _antiForgeryAuthCookieNameProvider;
+        private readonly AbpAntiForgeryCookieNameProvider _antiForgeryCookieNameProvider;
         private readonly ILogger<AbpValidateAntiforgeryTokenAuthorizationFilter> _logger;
 
         public AbpValidateAntiforgeryTokenAuthorizationFilter(
             IAntiforgery antiforgery,
-            IOptions<AntiforgeryOptions> antiforgeryOptions,
-            AbpAntiForgeryAuthCookieNameProvider antiForgeryAuthCookieNameProvider,
+            AbpAntiForgeryCookieNameProvider antiForgeryCookieNameProvider,
             ILogger<AbpValidateAntiforgeryTokenAuthorizationFilter> logger)
         {
             _antiforgery = antiforgery;
-            _antiforgeryOptions = antiforgeryOptions.Value;
             _logger = logger;
-            _antiForgeryAuthCookieNameProvider = antiForgeryAuthCookieNameProvider;
+            _antiForgeryCookieNameProvider = antiForgeryCookieNameProvider;
         }
 
         public async Task OnAuthorizationAsync(AuthorizationFilterContext context)
@@ -63,7 +59,7 @@ namespace Volo.Abp.AspNetCore.Mvc.AntiForgery
                 return false;
             }
 
-            var authCookieName = _antiForgeryAuthCookieNameProvider.GetNameOrNull();
+            var authCookieName = _antiForgeryCookieNameProvider.GetAuthCookieNameOrNull();
 
             //Always perform antiforgery validation when request contains authentication cookie
             if (authCookieName != null &&
@@ -72,10 +68,13 @@ namespace Volo.Abp.AspNetCore.Mvc.AntiForgery
                 return true;
             }
 
+            var antiForgeryCookieName = _antiForgeryCookieNameProvider.GetAntiForgeryCookieNameOrNull();
+
             //No need to validate if antiforgery cookie is not sent.
             //That means the request is sent from a non-browser client.
             //See https://github.com/aspnet/Antiforgery/issues/115
-            if (!context.HttpContext.Request.Cookies.ContainsKey(_antiforgeryOptions.Cookie.Name))
+            if (antiForgeryCookieName != null &&
+                !context.HttpContext.Request.Cookies.ContainsKey(antiForgeryCookieName))
             {
                 return false;
             }