mkArtakMSFT
commented
6 years ago Hi @drauch, is this happening as part of the default Anti-Forgery feature? Or are you calling to Anti-Forgery directly?
Closed drauch closed 6 years ago
mkArtakMSFT
commented
6 years ago Hi @drauch, is this happening as part of the default Anti-Forgery feature? Or are you calling to Anti-Forgery directly?
mkArtakMSFT
commented
6 years ago Chaning the exception type would be a breaking change, but there is an alternative to handle it in the filter.
drauch
commented
6 years ago As a workaround we are now installing a decorator for the DefaultAntiforgery IAntiforgery service which translates InvalidOperationExceptions to AntiForgeryExceptions which are then in turn handled by the filter correctly (by returning a 400 BadRequest). It feels really weird to catch an InvalidOperationException...I'd still mark it as a bug in the antiforgery infrastructure.
aspnet-hello
commented
6 years ago This issue was moved to aspnet/Home#2410
If the antiforgery token is missing, the antiforgery infrastructure correctly returns BadRequest. However, if the antiforgery token cannot be parsed by the cryptography infrastructure below (e.g., because it has been tampered with by a malicious user) an InvalidOperationException bubbles up.
This is bad style because it returns a 500 HTTP status code instead of 400. It also triggers our operation to look at the exception log because it's marked as an internal server error and not a client error.
Please fix this - or is there a known workaround?