Logout fails in Blazor Web App with Identity

dotnet / aspnetcore

ASP.NET Core is a cross-platform .NET framework for building modern cloud-based web applications on Windows, Mac, or Linux.

https://asp.net

MIT License

35.36k stars 9.99k forks source link

Logout fails in Blazor Web App with Identity #51180

Closed danroth27 closed 1 year ago

danroth27 commented 1 year ago

Repro steps:

Install .NET 8 RC2
Create a new Blazor Web App, Individual user accounts, server interactivity mode enabled locally
Run migrations from the command line (see #51178)
Run the app
Register a new user
Click on email confirmation link
Click on the login page and log in (see #51179)
Click on Logout

Expected result: The user is logged out successfully Actual result: 400 Bad Request returned with plain error text:

The POST request does not specify which form is being submitted. To fix this, ensure <form> elements have a @formname attribute with any unique value, or pass a FormName parameter if using <EditForm>.

danroth27 commented 1 year ago

@javiercn @stevesandersonms Why is a plain text response returned for this error instead of the normal ASP.NET Core developer exception page? Is that a separate issue?

SteveSandersonMS commented 1 year ago

The underlying issue here is probably https://github.com/dotnet/razor/issues/9323, i.e., a regression in Razor that was fixed for GA but as far as I know, RC2 will be shipping with that regression inside it. It breaks a lot of form scenarios. We discussed and heard there's no option to get the fix into RC2.

As for why there's a plaintext response, it's because this isn't an unhandled exception. It's a behavior in EndpointHtmlRenderer that intentionally returns this 400 with this message hardcoded to be in plaintext. This is because developers should only see this in development, and never in production, because it should only happen if your app code is objectively wrong. We could change it to do an unhandled exception (so the exception middleware kicks in), but that would give the public a trivial way to trigger an unlimited number of unhandled exceptions in production if they just want to spam the logs.

danroth27 commented 1 year ago

The underlying issue here is probably https://github.com/dotnet/razor/issues/9323, i.e., a regression in Razor that was fixed for GA

OK, I'll add a known issue to the RC2 blog post for this, both a generic version that mention the error and a specific mention of the logout issue.

As for why there's a plaintext response, it's because this isn't an unhandled exception. It's a behavior in EndpointHtmlRenderer that intentionally returns this 400 with this message hardcoded to be in plaintext.

Got it, make sense.

mkArtakMSFT commented 1 year ago

Closing as this is fixed and will be in the 8.0 GA: https://github.com/dotnet/razor/issues/9323

DM-98 commented 1 year ago

@SteveSandersonMS Is there a workaround for the form, or do we need to wait until GA? The default Blazor template with Individual accounts gives the same exception when clicking on the Logout button.

SenerDemiral commented 1 year ago

It doesn't give an error when If put another @formname="abcd" next to it.

oliverw commented 1 year ago

It doesn't give an error when If put another @formname="abcd" next to it.

This works indeed.