Provide appropriate error message in case of missing antiforgery tokens

[kichalla]

Scenario as mentioned in below article:
http://www.asp.net/web-api/overview/security/preventing-cross-site-request-forgery-(csrf)-attacks

The error message says The required anti-forgery cookie "__RequestVerificationToken" is not present...notice that it mentions the form field name here...

services.AddSingleton<CustomAntiForgeryTokenFilter>();

//---------------------------------

public class CustomAntiForgeryTokenFilter : IAuthorizationFilter
{
    private readonly AntiForgery _antiForgery;

    public CustomAntiForgeryTokenFilter(AntiForgery antiForgery)
    {
        _antiForgery = antiForgery;
    }

    public void OnAuthorization(AuthorizationContext context)
    {
        string cookieToken = string.Empty;
        string formToken = string.Empty;

        string[] tokenHeaders;
        if (context.HttpContext.Request.Headers.TryGetValue("RequestVerificationToken", out tokenHeaders))
        {
            string[] tokens = tokenHeaders[0].Split(':');
            cookieToken = tokens[0].Trim();
            formToken = tokens[1].Trim();
        }

        _antiForgery.Validate(context.HttpContext, cookieToken, formToken);
    }
}

//---------------------------------

[ServiceFilter(typeof(CustomAntiForgeryTokenFilter), Order = 1)]
[Authorize(Order = 2)]
public class ValuesController : Controller
{
    [HttpPost("api/values")]
    public Person Create([FromBody]Person data)
    {

        return data;
    }
}

Error Message

System.InvalidOperationException: The required anti-forgery cookie "__RequestVerificationToken" is not present.
at Microsoft.AspNet.Mvc.TokenProvider.ValidateTokens(HttpContext httpContext, ClaimsIdentity identity, AntiForgeryToken sessionToken, AntiForgeryToken fieldToken)
at Microsoft.AspNet.Mvc.AntiForgeryWorker.Validate(HttpContext httpContext, String cookieToken, String formToken)
at Microsoft.AspNet.Mvc.AntiForgery.Validate(HttpContext context, String cookieToken, String formToken)
at WebApplication10.CustomAntiForgeryTokenFilter.OnAuthorizationAsync(AuthorizationContext context) in C:\Users\kichalla\Documents\Visual Studio 14\Projects\WebApplication10\src\WebApplication10\CustomAntiForgeryTokenFilterAttribute.cs:line 33
at Microsoft.AspNet.Mvc.FilterActionInvoker.<InvokeAuthorizationFilter>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.AspNet.Mvc.FilterActionInvoker.<InvokeActionAuthorizationFilters>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.AspNet.Mvc.FilterActionInvoker.<InvokeExceptionFilter>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at Microsoft.AspNet.Mvc.FilterActionInvoker.<InvokeAsync>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.AspNet.Mvc.ReflectedActionInvoker.<InvokeAsync>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(Task task)
at Microsoft.AspNet.Mvc.MvcRouteHandler.<RouteAsync>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.AspNet.Routing.Template.TemplateRoute.<RouteAsync>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.AspNet.Mvc.Routing.AttributeRoute.<RouteAsync>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.AspNet.Routing.RouteCollection.<RouteAsync>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.AspNet.Builder.RouterMiddleware.<Invoke>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.AspNet.Security.Infrastructure.AuthenticationMiddleware`1.<Invoke>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.AspNet.Security.Infrastructure.AuthenticationMiddleware`1.<Invoke>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.AspNet.Security.Infrastructure.AuthenticationMiddleware`1.<Invoke>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.AspNet.Security.Infrastructure.AuthenticationMiddleware`1.<Invoke>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.AspNet.RequestContainer.ContainerMiddleware.<Invoke>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.AspNet.Loader.IIS.KlrHttpApplication.<ProcessRequestAsyncImpl>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.AspNet.Loader.IIS.HttpApplicationBase.<InvokeProcessRequestAsyncImpl>d__1.MoveNext()

[rynowak]

What info do you want to be present in the error that is missing?

[yishaigalatzer]

@kichalla if you think this is important, please provide feedback for this item

[rynowak]

Looked into this more, the bug here is that the overload where the caller passes in the token, we're still including the form field name in the message. We have no idea where you got the token, this should thrown here as an ArgumentNullException and the proper exception thrown by the caller.

[rynowak]

Moved to aspnet/Antiforgery#5