This repository has been archived by the owner on Dec 14, 2018. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 2.1k
Allow custom handling of antiforgery failures #8604
Merged
pranavkm
merged 1 commit into
aspnet:release/2.2
from
poke:AntiforgeryValidationFailedResult
Oct 19, 2018
Merged
Allow custom handling of antiforgery failures #8604
pranavkm
merged 1 commit into
aspnet:release/2.2
from
poke:AntiforgeryValidationFailedResult
Oct 19, 2018
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
pranavkm
reviewed
Oct 17, 2018
src/Microsoft.AspNetCore.Mvc.ViewFeatures/Internal/AntiforgeryValidationFailedResult.cs
Outdated
Show resolved
Hide resolved
src/Microsoft.AspNetCore.Mvc.ViewFeatures/Internal/AntiforgeryValidationFailedResult.cs
Outdated
Show resolved
Hide resolved
poke
force-pushed
the
AntiforgeryValidationFailedResult
branch
from
October 17, 2018 23:19
0359a3c
to
1ce8e41
Compare
poke
changed the title
WIP: Allow custom handling of antiforgery failures
Allow custom handling of antiforgery failures
Oct 17, 2018
Updated the PR for way better approach. I like this :) Thanks @pranavkm for your feedback! |
pranavkm
approved these changes
Oct 17, 2018
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
test/WebSites/BasicWebSite/Filters/RedirectAntiforgeryValidationFailedResultFilter.cs
Outdated
Show resolved
Hide resolved
|
||
// Assert | ||
Assert.Equal(HttpStatusCode.Redirect, response.StatusCode); | ||
Assert.Equal("http://example.com/antiforgery-redirect", response.Headers.Location.AbsoluteUri); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
rynowak
reviewed
Oct 18, 2018
src/Microsoft.AspNetCore.Mvc.Core/AntiforgeryValidationFailedResult.cs
Outdated
Show resolved
Hide resolved
rynowak
reviewed
Oct 18, 2018
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is cool!
To enable custom handling of antiforgery validation failures, use an `AntiforgeryValidationFailedResult` which is just a `BadRequestResult` but allows to be identified explicitly inside always-running result filters using the `IAntiforgeryValidationFailedResult` marker interface.
poke
force-pushed
the
AntiforgeryValidationFailedResult
branch
from
October 18, 2018 16:48
1ce8e41
to
aa3594c
Compare
@dotnet-bot build OSX 10.12 Release Build please |
Thanks for the PR! |
Thanks for the quick merge, and the feedback! 😊 |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This fixes the problem highlighted in dotnet/aspnetcore#3616 and adds support to allow custom handling of antiforgery validation failures. Right now, the
ValidateAntiforgeryTokenAuthorizationFilter
simply sets aBadRequestResult
and there is no way to hook into this behavior and do anything else.This introduces a new
AntiforgeryValidationFailedResult
that extendsBadRequestResult
but allows to be identified explicitly within always-running result filters (they need to be always-running in order to go around the short-circuiting behavior of the MVC filter pipeline).An example for a filter that intercepts the result is included in the functional test and essentially looks like this:
When applied in the pipeline, this filter will intercept the
AntiforgeryValidationFailedResult
and replace it with something else.