Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Malte 7 posts 107 karma points
    Jun 27, 2017 @ 08:45
    Malte
    0

    UmbracoApiController and Custom AntiForgeryToken Validator

    Hi,

    im currently developing a Web Application with Umbraco and Angular. I would like to secure my input Fields with the Microsoft AntiForgeryToken, i was able to create this Token, but unable to Validate it. I added a custom AntiForgeryTokenValidator to the UmbracoApiController

    namespace Project.Controllers.APIs
    {
        [AdfsAuthorize]
        [MyValidateAntiForgeryToken]
        public class HelperApiController : UmbracoApiController
        {
    

    But this Validator is not getting called.

    using System;
    using System.Web;
    using System.Web.Helpers;
    using System.Web.Mvc;
    using static System.String;
    
    namespace Project.Filters
    {
        [AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = false, Inherited = true)]
        public class MyValidateAntiForgeryTokenAttribute : FilterAttribute, IAuthorizationFilter
        {
    
    
            private void ValidateRequestHeader(HttpRequestBase request)
            {
                var cookieToken = Empty;
                var formToken = Empty;
                var tokenValue = request.Headers["RequestVerificationToken"];
                if (!IsNullOrEmpty(tokenValue))
                {
                    var tokens = tokenValue.Split(':');
                    if (tokens.Length == 2)
                    {
                        cookieToken = tokens[0].Trim();
                        formToken = tokens[1].Trim();
                    }
                }
                AntiForgery.Validate(cookieToken, formToken);
            }
    
            public void OnAuthorization(AuthorizationContext filterContext)
            {
    
                try
                {
                    if (filterContext.HttpContext.Request.IsAjaxRequest())
                    {
                        ValidateRequestHeader(filterContext.HttpContext.Request);
                    }
                    else
                    {
                        AntiForgery.Validate();
                    }
                }
                catch (HttpAntiForgeryException e)
                {
                    throw new HttpAntiForgeryException("Anti forgery token cookie not found");
                }
            }
        }
    }
    

    The same applies to the the AdfsAuthorize Attibute.

    The Project is currently on Umbraco 7.5.2.

    Do you guys have any idea or possible solution for me?

    Best regards from Germany

    Malte

  • David Brendel 792 posts 2970 karma points MVP 3x c-trib
    Jun 27, 2017 @ 18:45
    David Brendel
    0

    Hi Malte,

    I'm using the folling attribute to do custom antiforgery validation:

    [AttributeUsage(AttributeTargets.Method | AttributeTargets.Class, AllowMultiple = false, Inherited = true)]
    internal sealed class ValidateHttpAntiForgeryTokenAttribute : FilterAttribute, IAuthorizationFilter
    {
        public Task<HttpResponseMessage> ExecuteAuthorizationFilterAsync(HttpActionContext actionContext, CancellationToken cancellationToken, Func<Task<HttpResponseMessage>> continuation)
        {
            HttpRequestMessage request = actionContext.Request;
    
            try
            {
                if (IsAjaxRequest(request))
                {
                    ValidateRequestHeader(request);
                }
                else
                {
                    AntiForgery.Validate();
                }
            }
            catch (Exception ex)
            {
    
                LogHelper.Error<ValidateHttpAntiForgeryTokenAttribute>(ex.Message, ex);
    
                actionContext.Response = new HttpResponseMessage
                {
                    StatusCode = HttpStatusCode.Forbidden,
                    RequestMessage = actionContext.ControllerContext.Request
                };
                return FromResult(actionContext.Response);
            }
            return continuation();
        }
    
        private Task<HttpResponseMessage> FromResult(HttpResponseMessage result)
        {
            var source = new TaskCompletionSource<HttpResponseMessage>();
            source.SetResult(result);
            return source.Task;
        }
    
        private bool IsAjaxRequest(HttpRequestMessage request)
        {
            IEnumerable<string> xRequestedWithHeaders;
            if (request.Headers.TryGetValues("X-Requested-With", out xRequestedWithHeaders))
            {
                string headerValue = xRequestedWithHeaders.FirstOrDefault();
                if (!String.IsNullOrEmpty(headerValue))
                {
                    return String.Equals(headerValue, "XMLHttpRequest", StringComparison.OrdinalIgnoreCase);
                }
            }
    
            return false;
        }
    
        private void ValidateRequestHeader(HttpRequestMessage request)
        {
            var headers = request.Headers;
            var cookie = headers
                .GetCookies()
                .Select(c => c[AntiForgeryConfig.CookieName])
                .FirstOrDefault();
    
            IEnumerable<string> xXsrfHeaders;
    
            if (headers.TryGetValues("X-XSRF-Token", out xXsrfHeaders))
            {
                var rvt = xXsrfHeaders.FirstOrDefault();
    
                if (cookie == null)
                {
                    throw new InvalidOperationException(String.Format("Missing {0} cookie", AntiForgeryConfig.CookieName));
                }
    
                AntiForgery.Validate(cookie.Value, rvt);
            }
            else
            {
                var headerBuilder = new StringBuilder();
    
                headerBuilder.AppendLine("Missing X-XSRF-Token HTTP header:");
    
                foreach (var header in headers)
                {
                    headerBuilder.AppendFormat("- [{0}] = {1}", header.Key, header.Value);
                    headerBuilder.AppendLine();
                }
    
                throw new InvalidOperationException(headerBuilder.ToString());
            }
        }
    }
    

    Maybe that helps.

    Regard David

  • Malte 7 posts 107 karma points
    Jun 29, 2017 @ 08:07
    Malte
    0

    Hi David,

    thanks for your response. The Problem now is that VS is saying this method is missing:

    public void OnAuthorization(AuthorizationContext filterContext)
    {
        throw new NotImplementedException();
    }
    

    How do i wire this up correctly?

    Regards Malte

  • Malte 7 posts 107 karma points
    Aug 04, 2017 @ 09:10
    Malte
    100

    Hi all,

    @Marcel Wege found the Problem, it was due to the fact that i used

    public class MyValidateAntiForgeryTokenAttribute : System.Web.Mvc.Filters.FilterAttribute, System.Web.Mvc.Filters.IAuthorizationFilter
    

    after i change the FilterAttribute namespace to

    public class MyValidateAntiForgeryTokenAttribute : System.Web.Http.Filters.FilterAttribute, System.Web.Http.Filters.IAuthorizationFilter
    

    it all worked fine.

Please Sign in or register to post replies

Write your reply to:

Draft