I was just wondering if there was a reason you didn't use Antiforgery Tokens to prevent Cross-site Request Forgery?
9 Answer(s)
-
0
Most of communication with the server made via AJAX. I will add a feature to ABP to automatically make anti forgery mechanism. Non-ajax communication is just register and login forms (as I remember). No reasonable reason to not implement it for these actions. You can implement it for your project. Thanks.
-
0
Excellent, thank you.
I have handled sending AntiForgery tokens with Ajax before but I am pretty new to Angular so I will need to do some more research on how to handle this with Angular.
-
0
I was wondering if you figured out a way to automatically make Anti-Forgery mechanism as you suggested back in September of last year you were working on?
-
0
I just learned that AngularJS $http service reads a token from a cookie (it looks for XSRF-TOKEN and ASP.NET uses __RequestVerificationToken) then Angular will set it as an HTTP header (X-XSRF-TOKEN).
The documentation talks a bit about this here about half way down the page in the section labeled "Cross Site Request Forgery (XSRF) Protection" <a class="postlink" href="https://docs.angularjs.org/api/ng/service/$http">https://docs.angularjs.org/api/ng/service/$http</a>
Here is a good example how to do this in ASP.NET MVC or WebAPI. The problem is since you use the Dynamic WebAPI controllers for the Angular App I have no idea how to make this work for those. <a class="postlink" href="http://geekswithblogs.net/Frez/archive/2015/01/11/anti-forgery-tokens-with-angularjs-and-asp.net-web-api.aspx">http://geekswithblogs.net/Frez/archive/ ... b-api.aspx</a>
Any help would be greatly appreciated.
-
0
Hi,
Thanks for the information sharing. Let us check it and find a way.
-
0
Sounds good. For now I am going to try and create my own WebApiModule that inherits from AbpWebApiModule and then override the Initialize() method and create my own IntializeFilters() private method that adds a ValidateAPIAntiForgeryTokenAtribute I create to validate these AntiForgery tokens.
I haven't finished this yet but I am hoping then in the WebAPIModule I will have it depend on the one that inherits from AbpWebApiModule and I am hoping it will use that attribute in the dynamic api controller builder.
It's just a concept right now but I will update it if works or not.
-
0
I decided not to inherit from AbpWebApiModule since I was unable to get it working with Castle Windsor. What I ended up doing is creating my own AbpWebApiCustomModule that only initialized my custom filter to validate the Anti-Forgery token. I then added this to be used like this in my CompanyWebAPIModule [DependsOn(typeof(AbpApiCustomModule), typeof(AbpWebApiModule)...
this all worked as I hoped it would but now I am having a different problem with having Angular to send the token as a header since ASP.NET creates a cookie called this __RequestVerificationToken and not X-XSRF-Token as Angular is looking for.
Doing something like this...
.run(function($http) { $http.defaults.headers.common['X-XSRF-Token'] = angular.element('input[name="__RequestVerificationToken"]').attr('value'); })
doesn't work either since you are wrapping the $http with a dynamic service. So I am unsure how to handle this for every Angular request.
Any ideas?
-
0
Still Trying to get this to work with the Dynamic Controllers, For the most part I have it working for all POST request except one. I ended up putting this line of code
config.headers['X-XSRF-Token'] = angular.element('input[name="__RequestVerificationToken"]').attr('value');
in the abp.ng.js file under the..
abpModule.config([ '$httpProvider', function ($httpProvider) { $httpProvider.interceptors.push(['$q', function ($q) { return { 'request': function (config) { if (endsWith(config.url, '.cshtml')) { config.url = abp.appPath + 'AbpAppView/Load?viewUrl=' + config.url + '&_t=' + abp.pageLoadTime.getTime(); } //Anti Forgery Token config.headers['X-XSRF-Token'] = angular.element('input[name="__RequestVerificationToken"]').attr('value'); return config; },As you can see here. This works for the most part to send the headers. But there is one service that runs right before this seems to be loaded. The service that fails without the header XSRF token is /api/services/app/session/GetCurrentLoginInformations. This must fire off before either abpModule.config is ran or the layout is loaded. The layout.cshtml is where I have the @Html.AntiForgeryToken() being generated.
Would you have any suggestions? This is hanging me up big time.
-
0
Hi,
We also need to use antiforgery tokens. It would be great if aspnetzero has this feature in web API and angular. Any update on this issue?
