Getting ValidateAntiForgeryToken working with Angular 4 and Asp.Net Core 2 -


i attempting security working angular 4 (4.3.5) on newly released asp.net core 2.0, , anti forgery tokens.

i using javascriptservices, provides starter application (its default angular template in visual studio 2017.3). javascript services hosts main page of angular site on .cshtml page. turns out quite beneficial, can lock down using standard forms authentication (dot net core identity), redirects user separate (non angular) login page @ /account/login when user not logged in. can log in on page , redirected home page , spa , running within context of authorised user.

that working application may found here.

the final piece of puzzle validateantiforgerytoken attributes working. fine when log in account/login page, not running in context of angular 4. when running within angular 4 on home page, when make post server, post blocked validateantiforgerytoken if attribute present.

because of have commented out validateantiforgerytoken attribute on account/logout method. because logging out site using angular http post. works when attribute not being used, fails/is blocked when used.

following angular 4 documention, found here, have changed anti forgery token name match angular 4 recognises. this, modified startup.cs file, adding in lines, follows: 

public void configureservices(iservicecollection services) {             services.addantiforgery(options =>             {                 options.cookie.name = "xsrf-token";                 options.cookie.httponly = false;             }); ... }

this should enable angular app access anti forgery cookie name angular 4 expects.

within app, have changed on use new httpclient service (apparently http service has been deprecated!) supposed use interceptor send xsrf_token automatically server.

but have been unable make work.

i tried standard post call using httpclient service:

this.httpclient.post(this.baseurl + 'account/logout', "", options).subscribe(result => {     location.replace("/"); }, error => {     console.error(error); })

i tried adding headers manually:

let token = this.cookieservice.get("xsrf-token"); console.log(token);  var httpheaders = new httpheaders({ 'xsrf-token': token })  this.httpclient.post(this.baseurl + 'account/logout', "", { headers: httpheaders }).subscribe(result => {     location.replace("/"); }, error => {     console.error(error); })

i tried using old service both , without added headers:

let token = this.cookieservice.get("xsrf-token");         console.log(token);          let headers = new headers({             //'content-type': 'application/json',             'x-xsrf-token': token         });         let options = new requestoptions({ headers: headers });         this.http.post(this.baseurl + 'account/logout', "", options).subscribe(result => {             location.replace("/")         }, error => console.error(error));

unfortunately, i've had no luck. has else managed working?

ok, i've figured out solution.

my index.cshtml page looks this:

@html.antiforgerytoken()  <app>loading...</app>  <script src="~/dist/vendor.js" asp-append-version="true"></script> @section scripts {     <script src="~/dist/main-client.js" asp-append-version="true"></script> }

what generate anti-forgery token on server side, , place in hidden input field on page. when view page source, hidden input field looks this:

<input name="__requestverificationtoken" type="hidden" value="cfdj8daenvkvnl9ehpvzhkqwhc-pet4enm_svdteygzje4wnh34sbfg_d_aphtpzbm1jekquhssx1kwbivxaotpsovfmks5n_dln0sr3xrg-n2s0ofaa3-yvg87qdzxym1ybsyh7dlribu5it3wi2iyzwqyo4b1i_irtmikz41gmuldze8ve72zvqmehzav5rqihkw" />

in logout method, obtain token , submit in headers server-side controller. name of header requestverificationtoken, no underscores necessary.

logout() {      let token: = $("input[name=__requestverificationtoken]").val();     if (token !== null) {         var httpheaders: = new httpheaders({ 'requestverificationtoken': token });          this.httpclient.post("/account/logout", null, { headers: httpheaders }).subscribe(() => {             window.location.replace("/account/login");         }, error => {             console.log(error);         });     } }

on server-side, antiforgery filter runs, compares submitted value, , if value expected, allow server side account/logout method executed.

the server-side method looks this:

// // post: /account/logout [httppost] [validateantiforgerytoken] public async task<iactionresult> logout() {   await _signinmanager.signoutasync();   return redirecttoaction(nameof(homecontroller.index), "home"); }

putting break point in logout method prove executes.

there might gotcha here. not sure whether token changes on each request. haven't done testing on this. if does, new token need added page after each request.

also, did not need modify behaviour of default cookie. not doing angular 4 way. purely asp.net approach. is, in configureservices method in startup.cs file, have commented out cookie changes:

public void configureservices(iservicecollection services)         {             //services.addantiforgery(options =>             //{             //    options.cookie.name = "xsrf-token";             //    options.cookie.httponly = false;             //});

if think you've found better way of doing this, means, please post solution.


Comments

Post a Comment

Popular posts from this blog

ubuntu - PHP script to find files of certain extensions in a directory, returns populated array when run in browser, but empty array when run from terminal -

i running os ububtu 16.04. ultimate goal able run php script cron job every minute. here php script located @ /var/www/html/tests/test/index.php : <?php $directorypath = $_server['document_root']."/tests/test/data/"; echo "directorypath: $directorypath<br><br>";//check $imagefilepathsarray = glob($directorypath . "*.{png,gif}", glob_brace); echo "<br><br>imagefilepathsarray: "; print_r($imagefilepathsarray);//check ?> when open php script in browser visiting url my-ip-address/tests/test/index.php , get: directorypath: /var/www/html/tests/test/data/ imagefilepathsarray:array( [0] => /var/www/html/tests/test/data/pic.png [1] => /var/www/html/tests/test/data/pic.gif ) before writing cron job in crontab file, need check if can run anywhere using terminal . opened ubuntu terminal @ /home/ location, , executed in terminal: sudo php /var/www/html/tests/test/index.php i got following out...
Read more

php - How can i create a user dashboard -

today have questions you, want create user dashboard site, include (obviously), users data, example -email -username -and others stuff how can information, , print them in html page? if can, how can these information via php sessions? shuld use session? example, if user login, , start new session ( session_start() ), how can data print in dashboard? should use php "project"? in advice, have day , thank time!
Read more

javascript - How to detect toggling of the fullscreen-toolbar in jQuery Mobile? -

i have jquery mobile page fixed full-screen toolbar, data-tap-toggle enabled. straight under toolbar have positioned banner should slide upwards when toolbar hiding , slide downward when toolbar showing. jquery mobile toggles toolbar applying , removing ui-fixed-hidden class - sadly, can't find in documentation of toolbar widget toggle , hide or show event that. how can detect when toolbar toggled, reposition banner? .banner { position: fixed; background-color: darkseagreen; top: 46px; min-height: 48px; width: 100%; text-align: center; line-height: 48px; } <!doctype html> <html> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no"> <link rel="stylesheet" href="https://code.jquery.com/mobile/1.4.5/jquery.mobile-1.4.5.css"> <script src="https://code.jquery.com/jquery-1....
Read more