-
-
Notifications
You must be signed in to change notification settings - Fork 248
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add antiforgery support #509
Conversation
This reverts commit 0d3b65b.
Src/Library/Main/MainExtensions.cs
Outdated
@@ -60,6 +63,9 @@ public static IApplicationBuilder UseFastEndpoints(this IApplicationBuilder app, | |||
|
|||
public static IEndpointRouteBuilder MapFastEndpoints(this IEndpointRouteBuilder app, Action<Config>? configAction = null) | |||
{ | |||
//use AntiforgeryMiddleware middleware | |||
(app as WebApplication)?.UseMiddleware<Middleware.AntiforgeryMiddleware>(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe only use middleware if antiforgery is used?
Could be done by checking if its turned "on" on any endpoint, or by some other configuration
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe only use middleware if antiforgery is used?
Could be done by checking if its turned "on" on any endpoint, or by some other configuration
the Middlewire is really Simple, just when set EndpointDefinition.IsEnlableAntiforgery = true the validation logic is executed
(Default:false) it has no effect :)
public async Task Invoke(HttpContext context)
{
//GET请求不需要防伪验证
if (context.Request.Method == HttpMethods.Get ||
context.Request.Method == HttpMethods.Trace ||
context.Request.Method == HttpMethods.Options ||
context.Request.Method == HttpMethods.Head)
{
await _next(context);
return;
}
var endpointDefinition = context.GetEndpoint()?.Metadata.GetMetadata<EndpointDefinition>();
if (endpointDefinition?.IsEnlableAntiforgery is true)
{
try
{
await _antiforgery.ValidateRequestAsync(context);
}
catch (AntiforgeryValidationException)
{
context.Response.StatusCode = StatusCodes.Status400BadRequest;
await context.Response.WriteAsync("Invalid anti-forgery token");
return;
}
}
await _next(context);
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
haven't checked the code properly yet. but ideally this middleware should only be added to the pipeline if user explicitly asks to enable it during startup, something like this:
app.UseFastEndpoints(c => c.Security.EnableAntiForgeryTokens = true);
if this value is false
, endpoint level EnlableAntiforgery()
call should throw an exception during startup.
@vipwan think you can make that happen?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
actually scratch that.... lets make the user do two calls to configure antiforgery.
builder.Services.AddAntiForgery()
app.UseAntiForgery() // this will be a custom extensionmethod that registers the middleware.
and during startup if endpoints say EnableAntiForgery()
and the user hasn't called AddAntiForgery()
an exception should be thrown.
how about that?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
haven't checked the code properly yet. but ideally this middleware should only be added to the pipeline if user explicitly asks to enable it during startup, something like this:
app.UseFastEndpoints(c => c.Security.EnableAntiForgeryTokens = true);if this value is
false
, endpoint levelEnlableAntiforgery()
call should throw an exception during startup.@vipwan think you can make that happen?
its a good Idea
app.UseFastEndpoints(c => c.Security.EnableAntiForgeryTokens = true);
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i think this should be the way:
builder.Services.AddAntiForgery()
app.UseAntiForgery() // this will be a custom extensionmethod that registers the middleware.
…rue will use antiforgery middleware
usage changed to this: //register services
builder.Services.AddAntiForgery()
//enable middleware
app.UseAntiForgery()
//endpoint config
public override void Configure()
{
EnableAntiforgery();
} also changed the 400 response by middleware to use the error response builder method instead of just returning a string message. this way it won't have any conflicts with the antiforgery support coming in .net 8 to minimal apis. |
@vipwan is this the correct way to spell your name in english? FastEndpoints/Src/Library/changelog.md Line 73 in 2b4d4eb
|
|
#508