From e58842c8d6f4eaf7a8b613d0ebe238f2513b1fc4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Halil=20=C4=B0brahim=20Kalkan?= Date: Wed, 7 Oct 2020 14:38:02 +0300 Subject: [PATCH] Check ABP's antiforgery cookie to determine the validation logic. --- ...cs => AbpAntiForgeryCookieNameProvider.cs} | 11 +++++++--- ...dateAntiforgeryTokenAuthorizationFilter.cs | 20 +++++++++---------- ...dateAntiforgeryTokenAuthorizationFilter.cs | 17 ++++++++-------- 3 files changed, 25 insertions(+), 23 deletions(-) rename framework/src/Volo.Abp.AspNetCore.Mvc/Volo/Abp/AspNetCore/Mvc/AntiForgery/{AbpAntiForgeryAuthCookieNameProvider.cs => AbpAntiForgeryCookieNameProvider.cs} (70%) diff --git a/framework/src/Volo.Abp.AspNetCore.Mvc/Volo/Abp/AspNetCore/Mvc/AntiForgery/AbpAntiForgeryAuthCookieNameProvider.cs b/framework/src/Volo.Abp.AspNetCore.Mvc/Volo/Abp/AspNetCore/Mvc/AntiForgery/AbpAntiForgeryCookieNameProvider.cs similarity index 70% rename from framework/src/Volo.Abp.AspNetCore.Mvc/Volo/Abp/AspNetCore/Mvc/AntiForgery/AbpAntiForgeryAuthCookieNameProvider.cs rename to framework/src/Volo.Abp.AspNetCore.Mvc/Volo/Abp/AspNetCore/Mvc/AntiForgery/AbpAntiForgeryCookieNameProvider.cs index 6cd18c82a4..fa51d168d6 100644 --- a/framework/src/Volo.Abp.AspNetCore.Mvc/Volo/Abp/AspNetCore/Mvc/AntiForgery/AbpAntiForgeryAuthCookieNameProvider.cs +++ b/framework/src/Volo.Abp.AspNetCore.Mvc/Volo/Abp/AspNetCore/Mvc/AntiForgery/AbpAntiForgeryCookieNameProvider.cs @@ -4,12 +4,12 @@ using Volo.Abp.DependencyInjection; namespace Volo.Abp.AspNetCore.Mvc.AntiForgery { - public class AbpAntiForgeryAuthCookieNameProvider : ITransientDependency + public class AbpAntiForgeryCookieNameProvider : ITransientDependency { private readonly IOptionsSnapshot _namedOptionsAccessor; private readonly AbpAntiForgeryOptions _abpAntiForgeryOptions; - public AbpAntiForgeryAuthCookieNameProvider( + public AbpAntiForgeryCookieNameProvider( IOptionsSnapshot namedOptionsAccessor, IOptions abpAntiForgeryOptions) { @@ -17,9 +17,14 @@ namespace Volo.Abp.AspNetCore.Mvc.AntiForgery _abpAntiForgeryOptions = abpAntiForgeryOptions.Value; } - public virtual string GetNameOrNull() + public virtual string GetAuthCookieNameOrNull() { return _namedOptionsAccessor.Get(_abpAntiForgeryOptions.AuthCookieSchemaName)?.Cookie?.Name; } + + public virtual string GetAntiForgeryCookieNameOrNull() + { + return _abpAntiForgeryOptions.TokenCookie.Name; + } } } diff --git a/framework/src/Volo.Abp.AspNetCore.Mvc/Volo/Abp/AspNetCore/Mvc/AntiForgery/AbpAutoValidateAntiforgeryTokenAuthorizationFilter.cs b/framework/src/Volo.Abp.AspNetCore.Mvc/Volo/Abp/AspNetCore/Mvc/AntiForgery/AbpAutoValidateAntiforgeryTokenAuthorizationFilter.cs index c0dbcd246a..8858058375 100644 --- a/framework/src/Volo.Abp.AspNetCore.Mvc/Volo/Abp/AspNetCore/Mvc/AntiForgery/AbpAutoValidateAntiforgeryTokenAuthorizationFilter.cs +++ b/framework/src/Volo.Abp.AspNetCore.Mvc/Volo/Abp/AspNetCore/Mvc/AntiForgery/AbpAutoValidateAntiforgeryTokenAuthorizationFilter.cs @@ -2,29 +2,24 @@ using System; using Microsoft.AspNetCore.Antiforgery; using Microsoft.AspNetCore.Mvc.Filters; using Microsoft.Extensions.Logging; -using Microsoft.Extensions.Options; using Volo.Abp.DependencyInjection; namespace Volo.Abp.AspNetCore.Mvc.AntiForgery { public class AbpAutoValidateAntiforgeryTokenAuthorizationFilter : AbpValidateAntiforgeryTokenAuthorizationFilter, ITransientDependency { - private readonly AntiforgeryOptions _antiforgeryOptions; - private readonly AbpAntiForgeryAuthCookieNameProvider _antiForgeryAuthCookieNameProvider; + private readonly AbpAntiForgeryCookieNameProvider _antiForgeryCookieNameProvider; public AbpAutoValidateAntiforgeryTokenAuthorizationFilter( IAntiforgery antiforgery, - IOptions antiforgeryOptions, - AbpAntiForgeryAuthCookieNameProvider antiForgeryAuthCookieNameProvider, + AbpAntiForgeryCookieNameProvider antiForgeryCookieNameProvider, ILogger logger) : base( antiforgery, - antiforgeryOptions, - antiForgeryAuthCookieNameProvider, + antiForgeryCookieNameProvider, logger) { - _antiForgeryAuthCookieNameProvider = antiForgeryAuthCookieNameProvider; - _antiforgeryOptions = antiforgeryOptions.Value; + _antiForgeryCookieNameProvider = antiForgeryCookieNameProvider; } protected override bool ShouldValidate(AuthorizationFilterContext context) @@ -34,7 +29,7 @@ namespace Volo.Abp.AspNetCore.Mvc.AntiForgery return false; } - var authCookieName = _antiForgeryAuthCookieNameProvider.GetNameOrNull(); + var authCookieName = _antiForgeryCookieNameProvider.GetAuthCookieNameOrNull(); //Always perform antiforgery validation when request contains authentication cookie if (authCookieName != null && @@ -43,10 +38,13 @@ namespace Volo.Abp.AspNetCore.Mvc.AntiForgery return true; } + var antiForgeryCookieName = _antiForgeryCookieNameProvider.GetAntiForgeryCookieNameOrNull(); + //No need to validate if antiforgery cookie is not sent. //That means the request is sent from a non-browser client. //See https://github.com/aspnet/Antiforgery/issues/115 - if (!context.HttpContext.Request.Cookies.ContainsKey(_antiforgeryOptions.Cookie.Name)) + if (antiForgeryCookieName != null && + !context.HttpContext.Request.Cookies.ContainsKey(antiForgeryCookieName)) { return false; } diff --git a/framework/src/Volo.Abp.AspNetCore.Mvc/Volo/Abp/AspNetCore/Mvc/AntiForgery/AbpValidateAntiforgeryTokenAuthorizationFilter.cs b/framework/src/Volo.Abp.AspNetCore.Mvc/Volo/Abp/AspNetCore/Mvc/AntiForgery/AbpValidateAntiforgeryTokenAuthorizationFilter.cs index 2281899181..abb7107bf9 100644 --- a/framework/src/Volo.Abp.AspNetCore.Mvc/Volo/Abp/AspNetCore/Mvc/AntiForgery/AbpValidateAntiforgeryTokenAuthorizationFilter.cs +++ b/framework/src/Volo.Abp.AspNetCore.Mvc/Volo/Abp/AspNetCore/Mvc/AntiForgery/AbpValidateAntiforgeryTokenAuthorizationFilter.cs @@ -5,7 +5,6 @@ using Microsoft.AspNetCore.Mvc; using Microsoft.AspNetCore.Mvc.Filters; using Microsoft.AspNetCore.Mvc.ViewFeatures; using Microsoft.Extensions.Logging; -using Microsoft.Extensions.Options; using Volo.Abp.DependencyInjection; namespace Volo.Abp.AspNetCore.Mvc.AntiForgery @@ -13,20 +12,17 @@ namespace Volo.Abp.AspNetCore.Mvc.AntiForgery public class AbpValidateAntiforgeryTokenAuthorizationFilter : IAsyncAuthorizationFilter, IAntiforgeryPolicy, ITransientDependency { private IAntiforgery _antiforgery; - private readonly AntiforgeryOptions _antiforgeryOptions; - private readonly AbpAntiForgeryAuthCookieNameProvider _antiForgeryAuthCookieNameProvider; + private readonly AbpAntiForgeryCookieNameProvider _antiForgeryCookieNameProvider; private readonly ILogger _logger; public AbpValidateAntiforgeryTokenAuthorizationFilter( IAntiforgery antiforgery, - IOptions antiforgeryOptions, - AbpAntiForgeryAuthCookieNameProvider antiForgeryAuthCookieNameProvider, + AbpAntiForgeryCookieNameProvider antiForgeryCookieNameProvider, ILogger logger) { _antiforgery = antiforgery; - _antiforgeryOptions = antiforgeryOptions.Value; _logger = logger; - _antiForgeryAuthCookieNameProvider = antiForgeryAuthCookieNameProvider; + _antiForgeryCookieNameProvider = antiForgeryCookieNameProvider; } public async Task OnAuthorizationAsync(AuthorizationFilterContext context) @@ -63,7 +59,7 @@ namespace Volo.Abp.AspNetCore.Mvc.AntiForgery return false; } - var authCookieName = _antiForgeryAuthCookieNameProvider.GetNameOrNull(); + var authCookieName = _antiForgeryCookieNameProvider.GetAuthCookieNameOrNull(); //Always perform antiforgery validation when request contains authentication cookie if (authCookieName != null && @@ -72,10 +68,13 @@ namespace Volo.Abp.AspNetCore.Mvc.AntiForgery return true; } + var antiForgeryCookieName = _antiForgeryCookieNameProvider.GetAntiForgeryCookieNameOrNull(); + //No need to validate if antiforgery cookie is not sent. //That means the request is sent from a non-browser client. //See https://github.com/aspnet/Antiforgery/issues/115 - if (!context.HttpContext.Request.Cookies.ContainsKey(_antiforgeryOptions.Cookie.Name)) + if (antiForgeryCookieName != null && + !context.HttpContext.Request.Cookies.ContainsKey(antiForgeryCookieName)) { return false; }