Implement Request credentials #399
Conversation
|
|
|
Thanks for contributing this, @aguacongas! I appreciate the thorough PR with tests. On consideration, I think I would propose a slightly different way to implement this feature. My concern about the approach here is that it's very specialised:
If I'm understanding the design of
Then, developers can construct a myMessage.Properties[BrowserHttpMessageHandler.FetchArgs] = new
{
credentials = "include",
integrity = "sha256-BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE=",
... other options ...
};... and then the JS-side code will call: fetch(url, { ... existing args ..., credentials: 'include', integrity: 'sha256-BpfBw7ivV8q2jLiT13fxDYAe2tJllusRSZ273h2nFSE=', ... other options ... })...... which allows a way to control all aspects of Drawback: I know this means you'd need to call What do you think? |
|
Hi @SteveSandersonMS , Just, why And does it means the user cannot use GetJsonAsync methods if it need to use some fetch options then, or any others |
|
Re
In the general case, it means the user needs to construct a I know there will be times where it's not as convenient as using a higher-level method like Basically this is a relatively safe low-level design (not going to trap us in the future) that others can build higher-level methods on top of. |
According to the discussion
|
I uptated according to the discussion. I didn't update the test layout but if works for one options it should for others. |
| registerFunction(`${httpClientFullTypeName}.Send`, (id: number, method: string, requestUri: string, body: string | null, headersJson: string | null) => { | ||
| sendAsync(id, method, requestUri, body, headersJson); | ||
| registerFunction(`${httpClientFullTypeName}.Send`, (id: number, method: string, requestUri: string, body: string | null, headersJson: string | null, fetchArgs: RequestInit | null) => { | ||
| sendAsync(id, method, requestUri, body, headersJson, fetchArgs); |
There was a problem hiding this comment.
Could you please fix the indentation to be consistent with project conventions for .ts files? (e.g., 2 spaces per indentation level)
There was a problem hiding this comment.
Thanks for this, @aguacongas! Looks like there's a few things remaining to be done before this PR could be merged, but the general approach looks good :)
| public const string FetchArgs = "BrowserHttpMessageHandler.FetchArgs"; | ||
|
|
||
| public BrowserHttpMessageHandler() | ||
| { } |
There was a problem hiding this comment.
Redundant empty constructor can be removed
| @@ -36,17 +42,31 @@ public class BrowserHttpMessageHandler : HttpMessageHandler | |||
| _pendingRequests.Add(id, tcs); | |||
| } | |||
|
|
|||
| request.Properties.TryGetValue(FetchArgs, out object fetchArgs); | |||
There was a problem hiding this comment.
Please use out var fetchArgs for consistency with project conventions
|
|
||
| return await tcs.Task; | ||
| } | ||
|
|
||
| private static string GetDescription(Enum value) |
There was a problem hiding this comment.
I don't think we need this method any more
| @@ -32,6 +33,23 @@ public IEnumerable<string> Get() | |||
| } | |||
| } | |||
|
|
|||
| [HttpPost("xhrf")] | |||
There was a problem hiding this comment.
Are these methods GetAntiForgery and PostAntiForgery used anywhere? Could you clarify their purpose?
There was a problem hiding this comment.
I added these methods to test antiforgery cookies submition, the e2e test is missing. I'm going to add it
test/testapps/TestServer/Startup.cs
Outdated
| @@ -17,6 +19,13 @@ public Startup(IConfiguration configuration) | |||
| // This method gets called by the runtime. Use this method to add services to the container. | |||
| public void ConfigureServices(IServiceCollection services) | |||
| { | |||
| services.AddLogging(builder => | |||
There was a problem hiding this comment.
Doesn't seem related to the rest of the PR - please remove
test/testapps/TestServer/Startup.cs
Outdated
| .WithExposedHeaders("MyCustomHeader"); | ||
| }); | ||
| }); | ||
|
|
||
| services.AddAntiforgery(options => |
There was a problem hiding this comment.
I'm guessing this is meant to be used from an E2E test somewhere, but there doesn't appear to be one included in the PR. Is there still something to be finished here?
There was a problem hiding this comment.
yes the e2e test is missing.
There was a problem hiding this comment.
I tried to add an e2e test but cookies aren't recieved when selenium runs the test. If I run the test manualy, it works, but not with selenium. The code is :
[Fact]
public void CanPerformPostRequestWithFetchCredentials()
{
new SelectElement(Browser.FindElement(By.Id("request-credentials")))
.SelectByValue("include");
IssueRequest("GET", "/api/person/xhrf");
Assert.Equal("OK", _responseStatus.Text);
var token = _responseBody.Text;
AddRequestHeader("X-XSRF-TOKEN", token);
IssueRequest("POST", "/api/person/xhrf", token);
Assert.Equal("OK", _responseStatus.Text);
Assert.Equal($"You posted: {token}", _responseBody.Text);
}Any idea ?
There was a problem hiding this comment.
I'm not sure about that. Maybe Selenium requires additional config to enable cookies.
Instead of doing an E2E test about XSRF tokens, would it be simpler for the E2E test to cover a simpler fetch option such as referrer?
|
Thanks @aguacongas for finishing this off! It's now merged. |
|
@SteveSandersonMS You're welcome. When do you plan to released 0.2.0 ? |
We're planning to ship sometime next week. |
#357 Implements fetch request credentials