search

dotnet / aspnetcore

ASP.NET Core is a cross-platform .NET framework for building modern cloud-based web applications on Windows, Mac, or Linux.
https://asp.net
MIT License
35.54k stars 10.05k forks source link

Logout doesn't work in Blazor Web Application with global WASM interactivity (AntiforgeryValidationException) #58822

Open Andrzej-W opened 2 weeks ago

Andrzej-W commented 2 weeks ago

Is there an existing issue for this?

Describe the bug

AntiforgeryValidationException after clicking logout when Blazor WASM interactive page is displayed in application with global interactivity.

Expected Behavior

Logout should work without exceptions.

Steps To Reproduce

  1. Create Blazor Web Application with global WASM interactivity. dotnet new blazor -n LogoutTest --interactivity WebAssembly --auth Individual --all-interactive True
  2. Run the application, register new user (apply DB migration), login as new user.
  3. (this step is not necessary) Open any page used to manage an account (they are not interactive). Click Logout - everything works as expected.
  4. Login again, open any WASM interactive page, for example Counter and click Logout. Exception!

Exceptions (if any)

      An unhandled exception has occurred while executing the request.
      Microsoft.AspNetCore.Http.BadHttpRequestException: Invalid anti-forgery token found when reading parameter "string returnUrl" from the request body as form.
       ---> Microsoft.AspNetCore.Antiforgery.AntiforgeryValidationException: The required antiforgery request token was not provided in either form field "__RequestVerificationToken" or header value "RequestVerificationToken".
         at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgery.ValidateRequestAsync(HttpContext httpContext)
         at Microsoft.AspNetCore.Antiforgery.Internal.AntiforgeryMiddleware.InvokeAwaited(HttpContext context)
         --- End of inner exception stack trace ---
         at Microsoft.AspNetCore.Http.RequestDelegateFactory.Log.InvalidAntiforgeryToken(HttpContext httpContext, String parameterTypeName, String parameterName, Exception exception, Boolean shouldThrow)
         at Microsoft.AspNetCore.Http.RequestDelegateFactory.<HandleRequestBodyAndCompileRequestDelegateForForm>g__TryReadFormAsync|103_0(HttpContext httpContext, String parameterTypeName, String parameterName, Boolean throwOnBadRequest)
         at Microsoft.AspNetCore.Http.RequestDelegateFactory.<>c__DisplayClass103_2.<<HandleRequestBodyAndCompileRequestDelegateForForm>b__2>d.MoveNext()
      --- End of stack trace from previous location ---
         at Microsoft.AspNetCore.Antiforgery.Internal.AntiforgeryMiddleware.InvokeAwaited(HttpContext context)
         at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context)
         at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
         at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddlewareImpl.Invoke(HttpContext context)

.NET Version

9.0.100-rc.2.24474.11

Anything else?

Probably related issue https://github.com/dotnet/aspnetcore/issues/56687 Pinging @javiercn because he was active in related issue.

Andrzej-W commented 2 weeks ago

The problem is that html form does not contain __RequestVerificationToken hidden field. This bug is related to this issue https://github.com/dotnet/aspnetcore/issues/54533 and it looks it is NOT fixed. Original issue was reported by @SteveSandersonMS. Pinging @javiercn again because he was working on the fix in .NET 9 RC1.