Closed sikora507 closed 1 year ago
If you haven't yet, take a look at Blazor .NET 8 Preview 7 antiforgery new requirement: .NET 8 Preview 7 Blog Try adding this to your FormTest.razor:
@using Microsoft.AspNetCore.Antiforgery;
@attribute [RequireAntiforgeryToken]
I've just tried adding it, but still no difference. When I use cookies for authentication, SSR form submission seems to be broken. I've added a commit to my repo with your proposed changes too.
Did you also add in app program.cs?:
app.UseAntiforgery();
between app.UseRouting() and the app.MapRazorComponents()
With, or without it, the output is the same, you can check for yourself. When I'm logged out, the token is also there and it works: Something is not right when I'm logged in. There's this cookie in request headers when I'm logged out and i am submitting the form: And this one when I'm logged in and submitting the form: Maybe there's a problem how this is being parsed during antiforgery check or something
Sorry for not including everything but again, try adding AnitForgeryToken-component to the bottom of your form, before the closing tag:
Otherwise im out of ideas.
Edit: ignore this, I thought your first image was the code source, but it's the F12. You're using EditForm so no need for the AntiForgeryToken-component.
I was running into the same issue and fixed it by adding app.UseAntiforgery()
between calls to app.UseAuthorization()
and app.MapRazorComponents()
in program.cs
. Not having the call to UseAntiforgery()
at all, or having it placed before the UseAuth...
calls was causing the issue.
I cloned the example project given in the original issue description and was able to resolve the problem using this fix.
This is caused by the implicit antiforgery middleware, you can use app.UseAntiforgery()
after app.UseAuthentication()
to workaround it. We are going to use https://github.com/dotnet/aspnetcore/issues/50818 to track it
Is there an existing issue for this?
Describe the bug
When I log in a user using cookies, then when I want to post a form using server side rendering, I get this error page with the following text only:
I've isolated the issue and made an example demo application that shows the problem: https://github.com/sikora507/blazor-form-submission-bug
I've made a simple blazor page with simple form that I want to post using SSR, and as you can see, I am not logged in, and I am able to submit a form, and it's content is displayed below. There is no issue yet.
However, when I log in and want to post the same form: When I press the Submit button, I'll get this page:
For logging in, I am using Razor Pages (Login.cshtml and Logout.cshtml) I am doing so, because in my real-world scenario, I want to login using Google and the issue is the same.
This is my actual code that signs in using Google. I need to support a Challenge to Google and a Callback where I sign in the user.
I've isolated the issue by mocking the logging process and calling HttpContext.SignInAsync with pre-made user: https://github.com/sikora507/blazor-form-submission-bug/blob/4b4c0341fe5089b0ecbe83e5a5d6a44783815d53/FormTest/Pages/Login.cshtml.cs#L24C1-L34C29 But the outcome is the same, there's some weird behavior with Blazor's SSR form handling.
I might be wrong, but I was not able to mitigate this issue, I'd be also happy if someome could prove my mistake and show me how it's suppose to be done.
Expected Behavior
There should be no antiforgery token issue after posting a SSR form in Blazor, when user is logged in.
Steps To Reproduce
It was generated using
dotnet new blazor
commandYou will get the error
This issue does not occur when user is logged out. (Try logging out and submit the form again, it will work)
Exceptions (if any)
There is a bad request error in console: Caused by blazor.web.js
.NET Version
8.0.100-preview.7.23376.3
Anything else?
No response