Angular2 ASP.NET Core AntiForgeryToken
I have an Angular2 app. It is running within ASP.NET 5 (Core).
It makes Http calls to the controller which is working fine.
Bu
-
To validate the token from a header you can use something like this:
[AttributeUsage(AttributeTargets.Method | AttributeTargets.Class, AllowMultiple = false, Inherited = true)] public sealed class ValidateHeaderAntiForgeryTokenAttribute : FilterAttribute, IAuthorizationFilter { public void OnAuthorization(AuthorizationContext filterContext) { if (filterContext == null) { throw new ArgumentNullException(nameof(filterContext)); } var httpContext = filterContext.HttpContext; if (httpContext.Request.Headers["__RequestVerificationToken"] == null) { httpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden; httpContext.Response.StatusDescription = "RequestVerificationToken missing."; filterContext.Result = new JsonResult { Data = new { ErrorMessage = httpContext.Response.StatusDescription }, JsonRequestBehavior = JsonRequestBehavior.AllowGet }; return; } var cookie = httpContext.Request.Cookies[System.Web.Helpers.AntiForgeryConfig.CookieName]; System.Web.Helpers.AntiForgery.Validate(cookie != null ? cookie.Value : null, httpContext.Request.Headers["__RequestVerificationToken"]); } }Then you just add [ValidateHeaderAntiForgeryToken] on the methods in your controller. Note though, this is from a MVC 5, ASP.NET 4.5.2 project, so you may have to alter it slightly to adjust to .NET Core. Also I modified this to return a JSON result if the token is missing, you can remove that part if you don't handle the error response and output it to the user. Credits for the core part of this attribute goes to: https://nozzlegear.com/blog/send-and-validate-an-asp-net-antiforgerytoken-as-a-request-header
The hard part is how to generate the AntiForgeryToken without using
@Html.AntiForgeryToken()in pure Angular 2 application (without access to .cshtml files). I'm looking for an answer to that as well.
加载中...
- 热议问题