2

I have an application written with ASP.net (v2.2) and Angular8. The C# side (server-side) is just a web-API that exposes functionality to the Angular (client-side) application.

My client-side application is using SSR (server-side rendering) in order to present the application to the users.

I want to activate the anti-forgery mechanism from the ASP.net on my application. The way it should work that on any HTTP request I will attach an anti-forgery cookie and will validate it on my web-api controllers (server side\c#).

I tried to write a middleware that will attach the cookie to the response. It looks like this (base on this):

public class AntiForgeryTokenMiddleware
{
    private readonly RequestDelegate _next;
    private readonly IAntiforgery _antiforgery;

    public AntiForgeryTokenMiddleware(RequestDelegate next, IAntiforgery antiforgery)
    {
        _next = next;
        _antiforgery = antiforgery;
    }

    public Task Invoke(HttpContext context)
    {
        if (context.Request.Path.Value.IndexOf("/your api endpoint, e.g. /api", StringComparison.OrdinalIgnoreCase) != -1)
        {
            var tokens = _antiforgery.GetAndStoreTokens(context);
            context.Response.Cookies.Append("XSRF-TOKEN", tokens.RequestToken, new CookieOptions { HttpOnly = false, Secure = false });
        }
        return _next(context);
    }
}

But, I found that the middleware is happening only when the page is loaded for the first time. After clicking on a link - I expected that my middleware will be triggered again, but it's not.

For this reason, my AntiForgery cookie is invalid when the webapi is verified it - the URL is changed but the cookie not.

How to solve this issue?

Community
  • 1
  • 1
No1Lives4Ever
  • 6,430
  • 19
  • 77
  • 140
  • Can you also share how you have plugged in the middleware ? – Soumen Mukherjee Oct 16 '19 at 10:32
  • It similar to the example I mentioned in the link. https://stackoverflow.com/questions/53086456/anti-forgery-with-token-api-and-angular – No1Lives4Ever Oct 16 '19 at 10:37
  • A few things i would check by adding logs / breakpoints: - Is clicking on links invoking a call to the server? - Are the additional requests reaching the middleware, or is previous middleware short-circuiting the request? - If i'm hitting the middleware, is the `if` block being satisfied? – Simon B Oct 16 '19 at 12:57

1 Answers1

3

If your middleware is not being triggered, it may mean that the application has fully loaded and bootstrapped in the client. That means it no longer uses Server Side Rendering since everything is now running in the browser. You can typically verify this if you monitor the Network tab in your browser's dev tools; if you're making a new request for your SPA's main script files, the app hasn't finished bootstrapping and you're getting your response directly from the server.

Keep in mind that the major use cases for SSR are for SEO, optimizing mobile content delivery, and speeding up the rendering and display of the page. SSR will not make all of your requests go to the server like traditional postback. It's there to ease the requirements for rendering views but does not replace the behavior of a client-side SPA.

According to Angular2 ASP.NET Core AntiForgeryToken, you may not need to worry about creating custom middleware to handle the anti forgery tokens for API requests. Angular should just handle it for you when it sees an XSRF-TOKEN header.

villecoder
  • 13,323
  • 2
  • 33
  • 52