Open Closed

Using AntiForgery Tokens #357


0
joe704la created

I was just wondering if there was a reason you didn't use Antiforgery Tokens to prevent Cross-site Request Forgery?


9 Answer(s)
  • 0
    hikalkan created
    Support Team

    Most of communication with the server made via AJAX. I will add a feature to ABP to automatically make anti forgery mechanism. Non-ajax communication is just register and login forms (as I remember). No reasonable reason to not implement it for these actions. You can implement it for your project. Thanks.

  • 0
    joe704la created

    Excellent, thank you.

    I have handled sending AntiForgery tokens with Ajax before but I am pretty new to Angular so I will need to do some more research on how to handle this with Angular.

  • 0
    joe704la created

    I was wondering if you figured out a way to automatically make Anti-Forgery mechanism as you suggested back in September of last year you were working on?

  • 0
    joe704la created

    I just learned that AngularJS $http service reads a token from a cookie (it looks for XSRF-TOKEN and ASP.NET uses __RequestVerificationToken) then Angular will set it as an HTTP header (X-XSRF-TOKEN).

    The documentation talks a bit about this here about half way down the page in the section labeled "Cross Site Request Forgery (XSRF) Protection" <a class="postlink" href="https://docs.angularjs.org/api/ng/service/$http">https://docs.angularjs.org/api/ng/service/$http</a>

    Here is a good example how to do this in ASP.NET MVC or WebAPI. The problem is since you use the Dynamic WebAPI controllers for the Angular App I have no idea how to make this work for those. <a class="postlink" href="http://geekswithblogs.net/Frez/archive/2015/01/11/anti-forgery-tokens-with-angularjs-and-asp.net-web-api.aspx">http://geekswithblogs.net/Frez/archive/ ... b-api.aspx</a>

    Any help would be greatly appreciated.

  • 0
    hikalkan created
    Support Team

    Hi,

    Thanks for the information sharing. Let us check it and find a way.

  • 0
    joe704la created

    Sounds good. For now I am going to try and create my own WebApiModule that inherits from AbpWebApiModule and then override the Initialize() method and create my own IntializeFilters() private method that adds a ValidateAPIAntiForgeryTokenAtribute I create to validate these AntiForgery tokens.

    I haven't finished this yet but I am hoping then in the WebAPIModule I will have it depend on the one that inherits from AbpWebApiModule and I am hoping it will use that attribute in the dynamic api controller builder.

    It's just a concept right now but I will update it if works or not.

  • 0
    joe704la created

    I decided not to inherit from AbpWebApiModule since I was unable to get it working with Castle Windsor. What I ended up doing is creating my own AbpWebApiCustomModule that only initialized my custom filter to validate the Anti-Forgery token. I then added this to be used like this in my CompanyWebAPIModule [DependsOn(typeof(AbpApiCustomModule), typeof(AbpWebApiModule)...

    this all worked as I hoped it would but now I am having a different problem with having Angular to send the token as a header since ASP.NET creates a cookie called this __RequestVerificationToken and not X-XSRF-Token as Angular is looking for.

    Doing something like this...

    .run(function($http) { $http.defaults.headers.common['X-XSRF-Token'] = angular.element('input[name="__RequestVerificationToken"]').attr('value'); })

    doesn't work either since you are wrapping the $http with a dynamic service. So I am unsure how to handle this for every Angular request.

    Any ideas?

  • 0
    joe704la created

    Still Trying to get this to work with the Dynamic Controllers, For the most part I have it working for all POST request except one. I ended up putting this line of code

    config.headers['X-XSRF-Token'] = angular.element('input[name="__RequestVerificationToken"]').attr('value');

    in the abp.ng.js file under the..

    abpModule.config([
        '$httpProvider', function ($httpProvider) {
            $httpProvider.interceptors.push(['$q', function ($q) {
    
                return {
    
                    'request': function (config) {
                        if (endsWith(config.url, '.cshtml')) {
                            config.url = abp.appPath + 'AbpAppView/Load?viewUrl=' + config.url + '&_t=' + abp.pageLoadTime.getTime();
                        }
                        //Anti Forgery Token
                        config.headers['X-XSRF-Token'] = angular.element('input[name="__RequestVerificationToken"]').attr('value');
                        return config;
                    },
    

    As you can see here. This works for the most part to send the headers. But there is one service that runs right before this seems to be loaded. The service that fails without the header XSRF token is /api/services/app/session/GetCurrentLoginInformations. This must fire off before either abpModule.config is ran or the layout is loaded. The layout.cshtml is where I have the @Html.AntiForgeryToken() being generated.

    Would you have any suggestions? This is hanging me up big time.

  • 0
    tonid created

    Hi,

    We also need to use antiforgery tokens. It would be great if aspnetzero has this feature in web API and angular. Any update on this issue?