Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Calling Minimal API with IFormFile gets "Invalid anti-forgery token" #49929

Closed
1 task done
marinasundstrom opened this issue Aug 8, 2023 · 4 comments
Closed
1 task done

Calling Minimal API with IFormFile gets "Invalid anti-forgery token" #49929

marinasundstrom opened this issue Aug 8, 2023 · 4 comments
Labels
area-minimal Includes minimal APIs, endpoint filters, parameter binding, request delegate generator etc ✔️ Resolution: By Design Resolved because the behavior in this issue is the intended design. Status: Resolved

Comments

@marinasundstrom
Copy link

marinasundstrom commented Aug 8, 2023
edited

Is there an existing issue for this?

  • I have searched the existing issues

Describe the bug

This is .NET 8 Preview 7.

I have a Minimal API endpoint that takes a IFormFile as an argument. When the endpoint is called ASP.NET core complains with:

Microsoft.AspNetCore.Http.BadHttpRequestException: Invalid anti-forgery token found when reading parameter "IFormFile file" from the request body as form.

If I call the endpoint from Swagger, I get the following exception in the console:

fail: Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware[1]
      An unhandled exception has occurred while executing the request.
      Microsoft.AspNetCore.Http.BadHttpRequestException: Invalid anti-forgery token found when reading parameter "IFormFile file" from the request body as form.
       ---> Microsoft.AspNetCore.Antiforgery.AntiforgeryValidationException: The required antiforgery cookie ".AspNetCore.Antiforgery.C6Qawqa1gJE" is not present.
         at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgery.ValidateRequestAsync(HttpContext httpContext)
         at Microsoft.AspNetCore.Antiforgery.Internal.AntiforgeryMiddleware.InvokeAwaited(HttpContext context)
         --- End of inner exception stack trace ---
         at Microsoft.AspNetCore.Http.RequestDelegateFactory.Log.InvalidAntiforgeryToken(HttpContext httpContext, String parameterTypeName, String parameterName, Exception exception, Boolean shouldThrow)

Expected Behavior

The API endpoint should just work.

Steps To Reproduce

The code for the endpoint:

    private static async Task<Results<Ok, NotFound>> UploadProductImage(string id, IFormFile file, ... CancellationToken cancellationToken)
    {
        // Omitted 

        return TypedResults.Ok();
    }
        app.MapPost("/api/products/{id}/image", UploadProductImage)
            .WithName($"Products_{nameof(UploadProductImage)}")
            .WithTags("Products")
            .WithOpenApi();

Exceptions (if any)

No response

.NET Version

8.0.100-preview.7.23376.3

Anything else?

No response
@dotnet-issue-labeler dotnet-issue-labeler bot added the needs-area-label Used by the dotnet-issue-labeler to label those issues which couldn't be triaged automatically label Aug 8, 2023
@martincostello
Copy link
Member

martincostello commented Aug 8, 2023
edited

If your endpoint is safe to not apply antiforgery protection to, you can disable this by adding DisableAntiforgery() to it:

app.MapPost("/api/products/{id}/image", UploadProductImage)
   .WithName($"Products_{nameof(UploadProductImage)}")
   .WithTags("Products")
   .WithOpenApi()
   .DisableAntiforgery();

@martincostello martincostello added area-minimal Includes minimal APIs, endpoint filters, parameter binding, request delegate generator etc and removed needs-area-label Used by the dotnet-issue-labeler to label those issues which couldn't be triaged automatically labels Aug 8, 2023
@marinasundstrom
Copy link
Author

marinasundstrom commented Aug 8, 2023
edited

@martincostello Thanks! I was looking for that. It was a major blocker.

I get that anti-forgery protection has been implemented and turned on because of forms in Blazor SSR.

@captainsafia
Copy link
Member

Thanks for filing this issue, @marinasundstrom! It looks like the new anti-forgery feature in preview.7 worked for you. We'll have docs on this soon but for now @martincostello's on using the extension method to disable the check is correct here.

@captainsafia captainsafia added the ✔️ Resolution: By Design Resolved because the behavior in this issue is the intended design. label Aug 10, 2023
@ghost ghost added the Status: Resolved label Aug 10, 2023
@ghost
Copy link

ghost commented Aug 13, 2023

This issue has been resolved and has not had any activity for 1 day. It will be closed for housekeeping purposes.

See our Issue Management Policies for more information.

@ghost ghost closed this as completed Aug 13, 2023
@ghost ghost locked as resolved and limited conversation to collaborators Sep 12, 2023
This issue was closed.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
area-minimal Includes minimal APIs, endpoint filters, parameter binding, request delegate generator etc ✔️ Resolution: By Design Resolved because the behavior in this issue is the intended design. Status: Resolved
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@marinasundstrom @martincostello @captainsafia