Add antiforgery token to forms rendered interactively on the server

halter73 · halter73 · commit cdc96b0c8b14 · 2023-10-05T01:56:10.000-07:00
diff --git a/src/Components/Endpoints/src/Forms/EndpointAntiforgeryStateProvider.cs b/src/Components/Endpoints/src/Forms/EndpointAntiforgeryStateProvider.cs
@@ -20,7 +20,8 @@ internal void SetRequestContext(HttpContext context)
     {
         if (_context == null)
         {
-            return null;
+            // We're in an interactive context. Use the token persisted during static rendering.
+            return base.GetAntiforgeryToken();
         }
 
         // We already have a callback setup to generate the token when the response starts if needed.
diff --git a/src/Components/Shared/src/DefaultAntiforgeryStateProvider.cs b/src/Components/Shared/src/DefaultAntiforgeryStateProvider.cs
@@ -26,7 +26,7 @@ public DefaultAntiforgeryStateProvider(PersistentComponentState state)
         {
             state.PersistAsJson(PersistenceKey, GetAntiforgeryToken());
             return Task.CompletedTask;
-        }, RenderMode.InteractiveWebAssembly);
+        }, RenderMode.InteractiveAuto);
 
         state.TryTakeFromJson(PersistenceKey, out _currentToken);
     }
diff --git a/src/Components/test/E2ETest/ServerRenderingTests/FormHandlingTests/FormWithParentBindingContextTest.cs b/src/Components/test/E2ETest/ServerRenderingTests/FormHandlingTests/FormWithParentBindingContextTest.cs
@@ -909,6 +909,21 @@ public void CanUseAntiforgeryTokenInWasm()
         DispatchToFormCore(dispatchToForm);
     }
 
+    [Fact]
+    public void CanUseAntiforgeryTokenWithServerInteractivity()
+    {
+        var dispatchToForm = new DispatchToForm(this)
+        {
+            Url = "forms/antiforgery-server-interactive",
+            FormCssSelector = "form",
+            InputFieldId = "value",
+            InputFieldValue = "stranger",
+            SuppressEnhancedNavigation = true,
+            Ready = "really-ready",
+        };
+        DispatchToFormCore(dispatchToForm);
+    }
+
     [Theory]
     [InlineData(true)]
     [InlineData(false)]
diff --git a/src/Components/test/testassets/Components.TestServer/RazorComponentEndpointsStartup.cs b/src/Components/test/testassets/Components.TestServer/RazorComponentEndpointsStartup.cs
@@ -8,7 +8,6 @@
 using Components.TestServer.RazorComponents;
 using Components.TestServer.RazorComponents.Pages.Forms;
 using Components.TestServer.Services;
-using Microsoft.AspNetCore.Components.WebAssembly.Server;
 using Microsoft.AspNetCore.Mvc;
 
 namespace TestServer;
@@ -73,6 +72,19 @@ public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
                 InteractiveStreamingRenderingComponent.MapEndpoints(endpoints);
 
                 MapEnhancedNavigationEndpoints(endpoints);
+
+                endpoints.MapPost("/verify-antiforgery", (
+                    [FromForm] string value,
+                    [FromForm(Name = "__RequestVerificationToken")] string csrfToken) =>
+                {
+                    // We shouldn't get this far without a valid CSRF token, but we double check it's there.
+                    if (string.IsNullOrEmpty(csrfToken))
+                    {
+                        throw new Exception("Invalid POST to /verify-antiforgery!");
+                    }
+
+                    return TypedResults.Text($"<p id='pass'>Hello {value}!</p>", "text/html");
+                });
             });
         });
     }
diff --git a/src/Components/test/testassets/Components.TestServer/RazorComponents/Pages/Forms/FormRenderedWithServerInteractivityCanUseAntiforgeryToken.razor b/src/Components/test/testassets/Components.TestServer/RazorComponents/Pages/Forms/FormRenderedWithServerInteractivityCanUseAntiforgeryToken.razor
@@ -0,0 +1,23 @@
+﻿@page "/forms/antiforgery-server-interactive"
+
+@using Microsoft.AspNetCore.Components.Forms
+
+@attribute [RenderModeInteractiveServer]
+
+<h3>FormRenderedWithServerInteractivityCanUseAntiforgeryToken</h3>
+
+<form action="verify-antiforgery" method="post" @formname="verify-antiforgery">
+    <AntiforgeryToken />
+    <input type="text" id="value" name="value" />
+    <input id="send" name="send" type="submit" value="Send" />
+</form>
+
+@if (HttpContext is null)
+{
+    <p id="really-ready">Interactively rendered!</p>
+}
+
+@code {
+    [CascadingParameter]
+    HttpContext? HttpContext { get; set; }
+}
diff --git a/src/Components/test/testassets/TestContentPackage/WasmFormComponent.razor b/src/Components/test/testassets/TestContentPackage/WasmFormComponent.razor
@@ -16,7 +16,7 @@
 {
     @if (_succeeded)
     {
-        <p id="pass">Posting the value succeded.</p>
+        <p id="pass">Posting the value succeeded.</p>
     }
     else
     {
@@ -42,7 +42,7 @@ else
         if (OperatingSystem.IsBrowser())
         {
             var antiforgery = AntiforgeryState.GetAntiforgeryToken();
-            _token = antiforgery.Value;            
+            _token = antiforgery.Value;
         }
     }
 

Original file line number	Diff line number	Diff line change
`@@ -20,7 +20,8 @@ internal void SetRequestContext(HttpContext context)`
`20`	`20`	`{`
`21`	`21`	`if (_context == null)`
`22`	`22`	`{`
`23`		`- return null;`
	`23`	`+ // We're in an interactive context. Use the token persisted during static rendering.`
	`24`	`+ return base.GetAntiforgeryToken();`
`24`	`25`	`}`
`25`	`26`
`26`	`27`	`// We already have a callback setup to generate the token when the response starts if needed.`
Original file line number	Diff line number	Diff line change
`@@ -26,7 +26,7 @@ public DefaultAntiforgeryStateProvider(PersistentComponentState state)`
`26`	`26`	`{`
`27`	`27`	`state.PersistAsJson(PersistenceKey, GetAntiforgeryToken());`
`28`	`28`	`return Task.CompletedTask;`
`29`		`- }, RenderMode.InteractiveWebAssembly);`
	`29`	`+ }, RenderMode.InteractiveAuto);`
`30`	`30`
`31`	`31`	`state.TryTakeFromJson(PersistenceKey, out _currentToken);`
`32`	`32`	`}`
Original file line number	Diff line number	Diff line change
`@@ -16,7 +16,7 @@`
`16`	`16`	`{`
`17`	`17`	`@if (_succeeded)`
`18`	`18`	`{`
`19`		`- <p id="pass">Posting the value succeded.</p>`
	`19`	`+ <p id="pass">Posting the value succeeded.</p>`
`20`	`20`	`}`
`21`	`21`	`else`
`22`	`22`	`{`
`@@ -42,7 +42,7 @@ else`
`42`	`42`	`if (OperatingSystem.IsBrowser())`
`43`	`43`	`{`
`44`	`44`	`var antiforgery = AntiforgeryState.GetAntiforgeryToken();`
`45`		`- _token = antiforgery.Value;`
	`45`	`+ _token = antiforgery.Value;`
`46`	`46`	`}`
`47`	`47`	`}`
`48`	`48`