Consume app service in production parallel to the web client #11739

lalande1988 created one year ago

Hello,

[v12.2.0 with ASP.NET Core and JQuery]

On top of the web page functionality (Web.Mvc) I want to allow a subset of the APIs to be remotely consumed by customers. For testing I am using Cors (code below) and expect that the API can be consumed with Postman to start with. (Actually, I think Cors is not needed with Postman, only with Swagger).

When I use Postman on the dev machine (localhost), everything works as expected: I get the access token and with that I can call an app service, like GetUsers (as in your doc). When I deploy the app and call https://myexamplepage.co.uk/api/TokenAuth/Authenticate I get an internal error (500) reported.

The log file:

ERROR 2023-10-04 16:57:05.970 [74 ] idateAntiforgeryTokenAuthorizationFilter - The required antiforgery header value "X-XSRF-TOKEN" does not exist. Microsoft.AspNetCore.Antiforgery.AntiforgeryValidationException: The required antiforgery header X-XSRF-TOKEN is not present. at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgery.ValidateRequestAsync(HttpContext httpContext) on Abp.AspNetCore.Mvc.Antiforgery.AbpValidateAntiforgeryTokenAuthorizationFilter.OnAuthorizationAsync(AuthorizationFilterContext context)

A logging statement confirms that on the test (production) server I never get inside the Authenticate() method of the TokenAuthController.

I wonder why there is a need for antiforgery / why it is checked and missing?

Any ideas how I can fix this or at least a starting point to get a better understanding?

Thanks and best regards

services.AddCors(options => { options.AddPolicy(_corsPolicy, builder => { builder .WithOrigins("*") .AllowAnyHeader() .AllowAnyMethod(); }); });

_corsPolicy is an arbitrary string

4 Answer(s)