This repository has been archived by the owner on Dec 14, 2018. It is now read-only.
Allow custom handling of antiforgery failures #8604
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
pranavkm
reviewed
Oct 17, 2018
src/Microsoft.AspNetCore.Mvc.ViewFeatures/Internal/AntiforgeryValidationFailedResult.cs
Outdated
Show resolved
Hide resolved
src/Microsoft.AspNetCore.Mvc.ViewFeatures/Internal/AntiforgeryValidationFailedResult.cs
Outdated
Show resolved
Hide resolved
poke
force-pushed
the
AntiforgeryValidationFailedResult
branch
from
0359a3c
to
1ce8e41
Compare
poke
changed the title
|
Updated the PR for way better approach. I like this :) Thanks @pranavkm for your feedback! |
pranavkm
approved these changes
Oct 17, 2018
test/WebSites/BasicWebSite/Filters/RedirectAntiforgeryValidationFailedResultFilter.cs
Outdated
Show resolved
Hide resolved
|
|
||
| // Assert | ||
| Assert.Equal(HttpStatusCode.Redirect, response.StatusCode); | ||
| Assert.Equal("http://example.com/antiforgery-redirect", response.Headers.Location.AbsoluteUri); |
rynowak
reviewed
Oct 18, 2018
src/Microsoft.AspNetCore.Mvc.Core/AntiforgeryValidationFailedResult.cs
Outdated
Show resolved
Hide resolved
To enable custom handling of antiforgery validation failures, use an `AntiforgeryValidationFailedResult` which is just a `BadRequestResult` but allows to be identified explicitly inside always-running result filters using the `IAntiforgeryValidationFailedResult` marker interface.
poke
force-pushed
the
AntiforgeryValidationFailedResult
branch
from
1ce8e41
to
aa3594c
Compare
|
@dotnet-bot build OSX 10.12 Release Build please |
|
Thanks for the PR! |
|
Thanks for the quick merge, and the feedback! 😊 |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This fixes the problem highlighted in dotnet/aspnetcore#3616 and adds support to allow custom handling of antiforgery validation failures. Right now, the
ValidateAntiforgeryTokenAuthorizationFiltersimply sets aBadRequestResultand there is no way to hook into this behavior and do anything else.This introduces a new
AntiforgeryValidationFailedResultthat extendsBadRequestResultbut allows to be identified explicitly within always-running result filters (they need to be always-running in order to go around the short-circuiting behavior of the MVC filter pipeline).An example for a filter that intercepts the result is included in the functional test and essentially looks like this:
When applied in the pipeline, this filter will intercept the
AntiforgeryValidationFailedResultand replace it with something else.