platformplatform · raix · Jan 15, 2024 · Jan 16, 2024 · Jan 16, 2024
diff --git a/application/account-management/WebApp/global.d.ts b/application/account-management/WebApp/global.d.ts
@@ -16,6 +16,8 @@ export declare global {
     APPLICATION_VERSION: string;
     /* User locale */
     LOCALE: string;
+    /* AntiForgery token */
+    XSRF_TOKEN: string;
   }
 
   /**

diff --git a/application/account-management/WebApp/src/lib/api/client.ts b/application/account-management/WebApp/src/lib/api/client.ts
@@ -2,4 +2,4 @@ import createClient from "openapi-fetch";
 import type { paths } from "./api.generated";
 
 const baseUrl = import.meta.env.PUBLIC_URL;
-export const accountManagementApi = createClient<paths>({ baseUrl });
+export const accountManagementApi = createClient<paths>({ baseUrl, headers: { "X-XSRF-TOKEN": import.meta.env.XSRF_TOKEN } });
diff --git a/application/shared-kernel/ApiCore/ApiCoreConfiguration.cs b/application/shared-kernel/ApiCore/ApiCoreConfiguration.cs
@@ -1,7 +1,9 @@
 using System.Text.Json;
 using Microsoft.ApplicationInsights.AspNetCore.Extensions;
+using Microsoft.AspNetCore.Antiforgery;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Hosting;
+using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Http.Json;
 using Microsoft.AspNetCore.HttpOverrides;
 using Microsoft.EntityFrameworkCore;
@@ -74,6 +76,9 @@ public static IServiceCollection AddApiCoreServices(this IServiceCollection serv
             options.KnownProxies.Clear();
         });
 
+        // Enable support for CSRF tokens and configure the header
+        services.AddAntiforgery(options => options.HeaderName = "X-XSRF-TOKEN");
+
         builder.AddServiceDefaults();
 
         if (builder.Environment.IsDevelopment())
@@ -127,6 +132,22 @@ public static WebApplication AddApiCoreConfiguration<TDbContext>(this WebApplica
 
         app.UseMiddleware<ModelBindingExceptionHandlerMiddleware>();
 
+
+        // Enable support for CSRF tokens
+        app.UseAntiforgery();
+
+        // Enable support for anti XSRF/CSRF on all mutation endpoints 
+        app.Use((context, next) =>
+        {
+            var antiforgeryMetadata = context.GetEndpoint()?.Metadata.GetMetadata<IAntiforgeryMetadata>();
+            if (antiforgeryMetadata != null || !IsMutationMethod(context))
+            {
+                return next.Invoke();
+            }
+
+            return context.RequestServices.GetService<IAntiforgery>()!.ValidateRequestAsync(context);
+        });
+
         // Configure track endpoint for Application Insights telemetry for PageViews and BrowserTimings
         app.MapTrackEndpoints();
 
@@ -137,4 +158,15 @@ public static WebApplication AddApiCoreConfiguration<TDbContext>(this WebApplica
 
         return app;
     }
+
+    /// <summary>
+    ///     Returns true if the request is a mutation method (POST, PUT, PATCH, DELETE)
+    /// </summary>
+    private static bool IsMutationMethod(HttpContext context)
+    {
+        return HttpMethods.IsPost(context.Request.Method) ||
+               HttpMethods.IsPut(context.Request.Method) ||
+               HttpMethods.IsPatch(context.Request.Method) ||
+               HttpMethods.IsDelete(context.Request.Method);
+    }
 }
diff --git a/application/shared-kernel/ApiCore/Endpoints/TrackEndpoints.cs b/application/shared-kernel/ApiCore/Endpoints/TrackEndpoints.cs
@@ -20,7 +20,7 @@ public static class TrackEndpoints
     // </summary>
     public static void MapTrackEndpoints(this IEndpointRouteBuilder routes)
     {
-        routes.MapPost("/api/track", Track);
+        routes.MapPost("/api/track", Track).DisableAntiforgery();
     }
 
     [OpenApiIgnore]

diff --git a/application/shared-kernel/ApiCore/Middleware/WebAppMiddleware.cs b/application/shared-kernel/ApiCore/Middleware/WebAppMiddleware.cs
@@ -1,6 +1,7 @@
 using System.Security;
 using System.Text;
 using System.Text.Json;
+using Microsoft.AspNetCore.Antiforgery;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Http.Json;
@@ -18,7 +19,9 @@ public sealed class WebAppMiddleware
     public const string PublicUrlKey = "PUBLIC_URL";
     public const string CdnUrlKey = "CDN_URL";
     private const string Locale = "LOCALE";
+    private const string XsrfToken = "XSRF_TOKEN";
     public const string ApplicationVersion = "APPLICATION_VERSION";
+    private readonly IAntiforgery _antiforgery;
 
     private readonly string _cdnUrl;
     private readonly StringValues _contentSecurityPolicy;
@@ -35,12 +38,14 @@ public WebAppMiddleware(
         RequestDelegate next,
         Dictionary<string, string> staticRuntimeEnvironment,
         string htmlTemplatePath,
-        IOptions<JsonOptions> jsonOptions
+        IOptions<JsonOptions> jsonOptions,
+        IAntiforgery antiforgery
     )
     {
         _next = next;
         _staticRuntimeEnvironment = staticRuntimeEnvironment;
         _htmlTemplatePath = htmlTemplatePath;
+        _antiforgery = antiforgery;
         _jsonSerializerOptions = jsonOptions.Value.SerializerOptions;
 
         VerifyRuntimeEnvironment(staticRuntimeEnvironment);
@@ -87,10 +92,13 @@ public Task InvokeAsync(HttpContext context)
     {
         if (context.Request.Path.ToString().StartsWith("/api/")) return _next(context);
 
+        var tokenSet = _antiforgery.GetAndStoreTokens(context);
+
         var cultureFeature = context.Features.Get<IRequestCultureFeature>();
         var userCulture = cultureFeature?.RequestCulture.Culture;
 
-        var requestEnvironmentVariables = new Dictionary<string, string> { { Locale, userCulture?.Name ?? "en-US" } };
+        var requestEnvironmentVariables = new Dictionary<string, string>
+            { { Locale, userCulture?.Name ?? "en-US" }, { XsrfToken, tokenSet.RequestToken! } };
 
         context.Response.Headers.Append("Content-Security-Policy", _contentSecurityPolicy);
         return context.Response.WriteAsync(GetHtmlWithEnvironment(requestEnvironmentVariables));