[release/8.0-preview7] Add support for anti-forgery middleware (#49530)

* Add support for anti-forgery middleware

* Address feedback

* Clean up checks for valid HTTP methods

* Remove unneeded using

* Move RequestSizeLimit processing to EndpointRoutingMiddleware

* Address more feedback

---------

Co-authored-by: Safia Abdalla <[email protected]>

Author: github-actions[bot]

AspNetCore.sln

@@ -1768,6 +1768,10 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "IdentitySample.ApiEndpoints
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Components.WasmMinimal", "src\Components\test\testassets\Components.WasmMinimal\Components.WasmMinimal.csproj", "{87D58D50-20D1-4091-88C5-8D88DCCC2DE3}"
 EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "MinimalFormSample", "src\Antiforgery\samples\MinimalFormSample\MinimalFormSample.csproj", "{F7BCD3AD-31E2-4223-B215-851C3D0AB78A}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "MvcFormSample", "src\Mvc\samples\MvcFormSample\MvcFormSample.csproj", "{055F86AA-FB37-40CC-B39E-C29CE7547BB7}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -10609,6 +10613,38 @@ Global
 		{87D58D50-20D1-4091-88C5-8D88DCCC2DE3}.Release|x64.Build.0 = Release|Any CPU
 		{87D58D50-20D1-4091-88C5-8D88DCCC2DE3}.Release|x86.ActiveCfg = Release|Any CPU
 		{87D58D50-20D1-4091-88C5-8D88DCCC2DE3}.Release|x86.Build.0 = Release|Any CPU
+		{F7BCD3AD-31E2-4223-B215-851C3D0AB78A}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{F7BCD3AD-31E2-4223-B215-851C3D0AB78A}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{F7BCD3AD-31E2-4223-B215-851C3D0AB78A}.Debug|arm64.ActiveCfg = Debug|Any CPU
+		{F7BCD3AD-31E2-4223-B215-851C3D0AB78A}.Debug|arm64.Build.0 = Debug|Any CPU
+		{F7BCD3AD-31E2-4223-B215-851C3D0AB78A}.Debug|x64.ActiveCfg = Debug|Any CPU
+		{F7BCD3AD-31E2-4223-B215-851C3D0AB78A}.Debug|x64.Build.0 = Debug|Any CPU
+		{F7BCD3AD-31E2-4223-B215-851C3D0AB78A}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{F7BCD3AD-31E2-4223-B215-851C3D0AB78A}.Debug|x86.Build.0 = Debug|Any CPU
+		{F7BCD3AD-31E2-4223-B215-851C3D0AB78A}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{F7BCD3AD-31E2-4223-B215-851C3D0AB78A}.Release|Any CPU.Build.0 = Release|Any CPU
+		{F7BCD3AD-31E2-4223-B215-851C3D0AB78A}.Release|arm64.ActiveCfg = Release|Any CPU
+		{F7BCD3AD-31E2-4223-B215-851C3D0AB78A}.Release|arm64.Build.0 = Release|Any CPU
+		{F7BCD3AD-31E2-4223-B215-851C3D0AB78A}.Release|x64.ActiveCfg = Release|Any CPU
+		{F7BCD3AD-31E2-4223-B215-851C3D0AB78A}.Release|x64.Build.0 = Release|Any CPU
+		{F7BCD3AD-31E2-4223-B215-851C3D0AB78A}.Release|x86.ActiveCfg = Release|Any CPU
+		{F7BCD3AD-31E2-4223-B215-851C3D0AB78A}.Release|x86.Build.0 = Release|Any CPU
+		{055F86AA-FB37-40CC-B39E-C29CE7547BB7}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{055F86AA-FB37-40CC-B39E-C29CE7547BB7}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{055F86AA-FB37-40CC-B39E-C29CE7547BB7}.Debug|arm64.ActiveCfg = Debug|Any CPU
+		{055F86AA-FB37-40CC-B39E-C29CE7547BB7}.Debug|arm64.Build.0 = Debug|Any CPU
+		{055F86AA-FB37-40CC-B39E-C29CE7547BB7}.Debug|x64.ActiveCfg = Debug|Any CPU
+		{055F86AA-FB37-40CC-B39E-C29CE7547BB7}.Debug|x64.Build.0 = Debug|Any CPU
+		{055F86AA-FB37-40CC-B39E-C29CE7547BB7}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{055F86AA-FB37-40CC-B39E-C29CE7547BB7}.Debug|x86.Build.0 = Debug|Any CPU
+		{055F86AA-FB37-40CC-B39E-C29CE7547BB7}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{055F86AA-FB37-40CC-B39E-C29CE7547BB7}.Release|Any CPU.Build.0 = Release|Any CPU
+		{055F86AA-FB37-40CC-B39E-C29CE7547BB7}.Release|arm64.ActiveCfg = Release|Any CPU
+		{055F86AA-FB37-40CC-B39E-C29CE7547BB7}.Release|arm64.Build.0 = Release|Any CPU
+		{055F86AA-FB37-40CC-B39E-C29CE7547BB7}.Release|x64.ActiveCfg = Release|Any CPU
+		{055F86AA-FB37-40CC-B39E-C29CE7547BB7}.Release|x64.Build.0 = Release|Any CPU
+		{055F86AA-FB37-40CC-B39E-C29CE7547BB7}.Release|x86.ActiveCfg = Release|Any CPU
+		{055F86AA-FB37-40CC-B39E-C29CE7547BB7}.Release|x86.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
@@ -11482,6 +11518,7 @@ Global
 		{66FA1041-5556-43A0-9CA3-F9937F085F6E} = {56291265-B7BF-4756-92AB-FC30F09381D1}
 		{37FC77EA-AC44-4D08-B002-8EFF415C424A} = {64B2A28F-6D82-4F2B-B0BB-88DE5216DD2C}
 		{87D58D50-20D1-4091-88C5-8D88DCCC2DE3} = {6126DCE4-9692-4EE2-B240-C65743572995}
+		{055F86AA-FB37-40CC-B39E-C29CE7547BB7} = {B8825E86-B8EA-4666-B681-C443D027C95D}
 	EndGlobalSection
 	GlobalSection(ExtensibilityGlobals) = postSolution
 		SolutionGuid = {3E8720B3-DBDD-498C-B383-2CC32A054E8F}

src/Antiforgery/Antiforgery.slnf

@@ -1,7 +1,8 @@
 {
   "solution": {
     "path": "..\\..\\AspNetCore.sln",
-    "projects" : [
+    "projects": [
+      "src\\Antiforgery\\samples\\MinimalFormSample\\MinimalFormSample.csproj",
       "src\\Antiforgery\\src\\Microsoft.AspNetCore.Antiforgery.csproj",
       "src\\Antiforgery\\test\\Microsoft.AspNetCore.Antiforgery.Test.csproj"
     ]

src/Antiforgery/samples/MinimalFormSample/MinimalFormSample.csproj

@@ -0,0 +1,24 @@
+<Project Sdk="Microsoft.NET.Sdk.Web">
+
+  <PropertyGroup>
+    <TargetFramework>$(DefaultNetCoreTargetFramework)</TargetFramework>
+    <Nullable>enable</Nullable>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <RootNamespace>MinimalSample</RootNamespace>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <Reference Include="Microsoft.AspNetCore" />
+    <Reference Include="Microsoft.AspNetCore.Hosting" />
+    <Reference Include="Microsoft.AspNetCore.Http" />
+    <Reference Include="Microsoft.AspNetCore.Http.Abstractions" />
+    <Reference Include="Microsoft.AspNetCore.Http.Results" />
+    <Reference Include="Microsoft.AspNetCore.Routing" />
+    <Reference Include="Microsoft.AspNetCore.Routing.Abstractions" />
+    <Reference Include="Microsoft.AspNetCore.Antiforgery" />
+    <Reference Include="Microsoft.AspNetCore.Mvc.ViewFeatures" />
+    <Reference Include="Microsoft.AspNetCore.Mvc.Core" />
+    <Reference Include="Microsoft.Net.Http.Headers" />
+  </ItemGroup>
+
+</Project>

src/Antiforgery/samples/MinimalFormSample/Program.cs

@@ -0,0 +1,80 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using Microsoft.AspNetCore.Antiforgery;
+using Microsoft.AspNetCore.Mvc;
+
+var builder = WebApplication.CreateBuilder(args);
+
+builder.Services.AddAntiforgery();
+
+var app = builder.Build();
+
+app.UseAntiforgery();
+
+app.MapGet("/antiforgery", (HttpContext context, IAntiforgery antiforgery) =>
+{
+    var token = antiforgery.GetAndStoreTokens(context);
+    var html = $"""
+        <html>
+            <body>
+                <form action="/todo" method="POST" enctype="multipart/form-data">
+                    <input name="{token.FormFieldName}" type="hidden" value="{token.RequestToken}" />
+                    <input type="text" name="name" />
+                    <input type="date" name="dueDate" />
+                    <input type="checkbox" name="isCompleted" />
+                    <input type="submit" />
+                </form>
+            </body>
+        </html>
+    """;
+    return Results.Content(html, "text/html");
+});
+
+app.MapGet("/no-antiforgery", () =>
+{
+    var html = """
+        <html>
+            <body>
+                <form action="/todo" method="POST" enctype="multipart/form-data">
+                    <input type="text" name="name" />
+                    <input type="date" name="dueDate" />
+                    <input type="checkbox" name="isCompleted" />
+                    <input type="submit" />
+                </form>
+            </body>
+        </html>
+    """;
+    return Results.Content(html, "text/html");
+});
+
+app.MapPost("/todo", [ValidateAntiForgeryToken] ([FromForm] Todo todo) => Results.Ok(todo));
+
+app.MapPost("/todo-raw", async context =>
+{
+    var form = await context.Request.ReadFormAsync();
+    var name = form["name"].ToString();
+    var dueDate = DateTime.Parse(form["dueDate"].ToString());
+    var isCompleted = bool.Parse(form["isCompleted"].ToString());
+    var result = Results.Ok(new Todo(name, isCompleted, dueDate));
+    await result.ExecuteAsync(context);
+}).WithMetadata(new AntiforgeryMetadata(true));
+
+app.Run();
+
+class Todo(string name, bool isCompleted, DateTime dueDate)
+{
+    public string Name { get; set; } = name;
+    public bool IsCompleted { get; set; } = isCompleted;
+    public DateTime DueDate { get; set; } = dueDate;
+}
+
+class AntiforgeryMetadata: IAntiforgeryMetadata
+{
+    public AntiforgeryMetadata(bool required)
+    {
+        RequiresValidation = required;
+    }
+
+    public bool RequiresValidation { get; }
+}

src/Antiforgery/samples/MinimalFormSample/Properties/launchSettings.json

@@ -0,0 +1,38 @@
+{
+  "$schema": "http://json.schemastore.org/launchsettings.json",
+  "iisSettings": {
+    "windowsAuthentication": false,
+    "anonymousAuthentication": true,
+    "iisExpress": {
+      "applicationUrl": "http://localhost:37561",
+      "sslPort": 44385
+    }
+  },
+  "profiles": {
+    "http": {
+      "commandName": "Project",
+      "dotnetRunMessages": true,
+      "launchBrowser": true,
+      "applicationUrl": "http://localhost:5092",
+      "environmentVariables": {
+        "ASPNETCORE_ENVIRONMENT": "Development"
+      }
+    },
+    "https": {
+      "commandName": "Project",
+      "dotnetRunMessages": true,
+      "launchBrowser": true,
+      "applicationUrl": "https://localhost:7245;http://localhost:5092",
+      "environmentVariables": {
+        "ASPNETCORE_ENVIRONMENT": "Development"
+      }
+    },
+    "IIS Express": {
+      "commandName": "IISExpress",
+      "launchBrowser": true,
+      "environmentVariables": {
+        "ASPNETCORE_ENVIRONMENT": "Development"
+      }
+    }
+  }
+}

src/Antiforgery/samples/MinimalFormSample/appsettings.Development.json

@@ -0,0 +1,8 @@
+{
+  "Logging": {
+    "LogLevel": {
+      "Default": "Information",
+      "Microsoft.AspNetCore": "Warning"
+    }
+  }
+}

src/Antiforgery/samples/MinimalFormSample/appsettings.json

@@ -0,0 +1,9 @@
+{
+  "Logging": {
+    "LogLevel": {
+      "Default": "Information",
+      "Microsoft.AspNetCore": "Warning"
+    }
+  },
+  "AllowedHosts": "*"
+}

src/Antiforgery/src/AntiforgeryApplicationBuilderExtensions.cs

@@ -0,0 +1,39 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using Microsoft.AspNetCore.Antiforgery;
+using Microsoft.AspNetCore.Antiforgery.Internal;
+
+namespace Microsoft.AspNetCore.Builder;
+
+/// <summary>
+/// Anti-forgery extension methods for <see cref="IApplicationBuilder"/>.
+/// </summary>
+public static class AntiforgeryApplicationBuilderExtensions
+{
+    private const string AntiforgeryMiddlewareSetKey = "__AntiforgeryMiddlewareSet";
+
+    /// <summary>
+    /// Adds the anti-forgery middleware to the pipeline.
+    /// </summary>
+    /// <param name="builder">The <see cref="IApplicationBuilder"/>.</param>
+    /// <returns>The app builder.</returns>
+    public static IApplicationBuilder UseAntiforgery(this IApplicationBuilder builder)
+    {
+        ArgumentNullException.ThrowIfNull(builder);
+        builder.VerifyAntiforgeryServicesAreRegistered();
+
+        builder.Properties[AntiforgeryMiddlewareSetKey] = true;
+        builder.UseMiddleware<AntiforgeryMiddleware>();
+
+        return builder;
+    }
+
+    private static void VerifyAntiforgeryServicesAreRegistered(this IApplicationBuilder builder)
+    {
+        if (builder.ApplicationServices.GetService(typeof(IAntiforgery)) == null)
+        {
+            throw new InvalidOperationException("Unable to find the required services. Please add all the required services by calling 'IServiceCollection.AddAntiforgery' in the application startup code.");
+        }
+    }
+}

src/Antiforgery/src/AntiforgeryMiddleware.cs

@@ -0,0 +1,52 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using Microsoft.AspNetCore.Http;
+
+namespace Microsoft.AspNetCore.Antiforgery.Internal;
+
+internal sealed class AntiforgeryMiddleware(IAntiforgery antiforgery, RequestDelegate next)
+{
+    private readonly RequestDelegate _next = next;
+    private readonly IAntiforgery _antiforgery = antiforgery;
+
+    private const string AntiforgeryMiddlewareWithEndpointInvokedKey = "__AntiforgeryMiddlewareWithEndpointInvoked";
+    private static readonly object AntiforgeryMiddlewareWithEndpointInvokedValue = new object();
+
+    public Task Invoke(HttpContext context)
+    {
+        var endpoint = context.GetEndpoint();
+
+        if (endpoint is not null)
+        {
+            context.Items[AntiforgeryMiddlewareWithEndpointInvokedKey] = AntiforgeryMiddlewareWithEndpointInvokedValue;
+        }
+
+        var method = context.Request.Method;
+        if (!HttpMethodExtensions.IsValidHttpMethodForForm(method))
+        {
+            return _next(context);
+        }
+
+        if (endpoint?.Metadata.GetMetadata<IAntiforgeryMetadata>() is { RequiresValidation: true })
+        {
+            return InvokeAwaited(context);
+        }
+
+        return _next(context);
+    }
+
+    public async Task InvokeAwaited(HttpContext context)
+    {
+        try
+        {
+            await _antiforgery.ValidateRequestAsync(context);
+            context.Features.Set(AntiforgeryValidationFeature.Valid);
+        }
+        catch (AntiforgeryValidationException e)
+        {
+            context.Features.Set<IAntiforgeryValidationFeature>(new AntiforgeryValidationFeature(false, e));
+        }
+        await _next(context);
+    }
+}

src/Antiforgery/src/Internal/AntiforgeryValidationFeature.cs

@@ -0,0 +1,11 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+namespace Microsoft.AspNetCore.Antiforgery;
+
+internal sealed class AntiforgeryValidationFeature(bool isValid, AntiforgeryValidationException? exception) : IAntiforgeryValidationFeature
+{
+    public static readonly IAntiforgeryValidationFeature Valid = new AntiforgeryValidationFeature(true, null);
+
+    public bool IsValid { get; } = isValid;
+    public Exception? Error { get; } = exception;
+}

src/Antiforgery/src/Microsoft.AspNetCore.Antiforgery.csproj

@@ -13,6 +13,7 @@
   <ItemGroup>
     <Reference Include="Microsoft.AspNetCore.DataProtection" />
     <Reference Include="Microsoft.AspNetCore.Http.Abstractions" />
+    <Reference Include="Microsoft.AspNetCore.Http.Features" />
     <Reference Include="Microsoft.AspNetCore.Http.Extensions" />
     <Reference Include="Microsoft.AspNetCore.WebUtilities" />
     <Reference Include="Microsoft.Extensions.ObjectPool" />
@@ -22,4 +23,8 @@
     <InternalsVisibleTo Include="DynamicProxyGenAssembly2" Key="$(MoqPublicKey)" />
     <InternalsVisibleTo Include="Microsoft.AspNetCore.Antiforgery.Test" />
   </ItemGroup>
+
+  <ItemGroup>
+    <Compile Include="$(SharedSourceRoot)HttpMethodExtensions.cs" LinkBase="Shared"/>
+  </ItemGroup>
 </Project>

src/Antiforgery/src/PublicAPI.Unshipped.txt

@@ -1,6 +1,6 @@
 #nullable enable
-Microsoft.AspNetCore.Antiforgery.Infrastructure.IAntiforgeryMetadata
-Microsoft.AspNetCore.Antiforgery.Infrastructure.IAntiforgeryMetadata.Required.get -> bool
 Microsoft.AspNetCore.Antiforgery.RequireAntiforgeryTokenAttribute
 Microsoft.AspNetCore.Antiforgery.RequireAntiforgeryTokenAttribute.RequireAntiforgeryTokenAttribute(bool required = true) -> void
-Microsoft.AspNetCore.Antiforgery.RequireAntiforgeryTokenAttribute.Required.get -> bool
+Microsoft.AspNetCore.Antiforgery.RequireAntiforgeryTokenAttribute.RequiresValidation.get -> bool
+Microsoft.AspNetCore.Builder.AntiforgeryApplicationBuilderExtensions
+static Microsoft.AspNetCore.Builder.AntiforgeryApplicationBuilderExtensions.UseAntiforgery(this Microsoft.AspNetCore.Builder.IApplicationBuilder! builder) -> Microsoft.AspNetCore.Builder.IApplicationBuilder!

src/Antiforgery/src/RequireAntiforgeryTokenAttribute.cs

@@ -1,8 +1,6 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
-using Microsoft.AspNetCore.Antiforgery.Infrastructure;
-
 namespace Microsoft.AspNetCore.Antiforgery;
 
 /// <summary>
@@ -19,5 +17,5 @@ public class RequireAntiforgeryTokenAttribute(bool required = true) : Attribute,
     /// Defaults to <see langword="true"/>; <see langword="false"/> indicates that
     /// the validation check for the antiforgery token can be avoided.
     /// </remarks>
-    public bool Required { get; } = required;
+    public bool RequiresValidation { get; } = required;
 }