lvmajor
commented
6 years ago Saw that a pull request has been made related to this same issue, see #124
Don't know if it's the best option to ignore antiforgery validation completely, but it's an idea.
Open lvmajor opened 6 years ago
lvmajor
commented
6 years ago Saw that a pull request has been made related to this same issue, see #124
Don't know if it's the best option to ignore antiforgery validation completely, but it's an idea.
Version: Asp.Net Core 2.x Problem: When navigating to host/localizationadmin/index.html, the only response we get back for "GetResourceItems" requests is a 400 - Bad request.
Source of probem: By looking at the logs I found out it was caused by the failed anti forgery token validation and when I remove the global filter from the app configuration (see below), everything works again.
Global filter setup in ConfigureServices:
options.Filters.Add(new AutoValidateAntiforgeryTokenAttribute());Potential solution 1: According to the official documentation here, Angular is expecting a cookie with the name
X-XSRF, which needs to be setup like in the demo application found in https://github.com/aspnet/Docs/Essentially you specify the antiforgery token name with
services.AddAntiforgery(options => options.HeaderName = "X-XSRF-TOKEN");and then in Configure, setup a route handler that will add this cookie to the response when you hit the app entry point.I tested it and it works fine, the only problem I have with it is the the cookie is clearly identified as being the xsrf validation token... which does not seem ideal in a security point of view (I know security by obscurity should never be considered as safe, but IMO it's never bad to add obscurity on top of all other security features implemented)
Potential solution 2: Add a new option in the DbResourceConfiguration section for letting the user specify the cookie name that should be used by the validation token (which he uses for example when setting the antiforgery options in the ConfigureServices method as such:
services.AddAntiforgery(options => options.HeaderName = "customAFCookieName");, and then send a cookie with that name and a value generated by the IAntiforgery within the LocalizationAdmin controller when the index page loads for example.Would you have any other idea that would be more "secure" or would you recommend setting up the application like solution 1 or 2?
Thanks in advance and good job on this project, I really like the possibility to edit the resources within the DB or interface and generate the resx files afterwards if required for production.