Add support for antiforgery

Author: javiercn

src/Components/Components/src/Rendering/RenderTreeBuilder.cs

@@ -175,6 +175,11 @@ public void AddAttribute(int sequence, string name)
             throw new InvalidOperationException($"Valueless attributes may only be added immediately after frames of type {RenderTreeFrameType.Element}");
         }
 
+        if (TrackNamedEventHandlers && string.Equals(name, "@onsubmit:name", StringComparison.Ordinal))
+        {
+            _entries.AppendAttribute(sequence, name, "");
+        }
+
         _entries.AppendAttribute(sequence, name, BoxedTrue);
     }
 
@@ -873,6 +878,18 @@ internal void ProcessDuplicateAttributes(int first)
                     // This attribute has been overridden. For now, blank out its name to *mark* it. We'll do a pass
                     // later to wipe it out.
                     frame = default;
+                    // We are wiping out this frame, which means that if we are tracking named events, we have to adjust the
+                    // indexes of the named event handlers that come after this frame.
+                    if (_seenEventHandlerNames != null && _seenEventHandlerNames.Count > 0)
+                    {
+                        foreach (var (name, eventIndex) in _seenEventHandlerNames)
+                        {
+                            if (eventIndex >= i)
+                            {
+                                _seenEventHandlerNames[name] = eventIndex - 1;
+                            }
+                        }
+                    }
                 }
                 else
                 {
@@ -935,6 +952,62 @@ public void Dispose()
 
     internal Dictionary<string, int>? GetNamedEvents()
     {
+        if (TrackNamedEventHandlers)
+        {
+            var i = _entries.Count - 1;
+            while (i >= 0)
+            {
+                ref var frame = ref _entries.Buffer[i];
+                if (frame.FrameType != RenderTreeFrameType.Attribute)
+                {
+                    i--;
+                    continue;
+                }
+                var j = i;
+                var submitHandlerIndex = -1;
+                var submitHanderNameIndex = -1;
+                while (j > 0)
+                {
+                    // we are inside a list of attribute frames.
+                    // Walk backwards to find pairs of onsubmit and @onsubmit:name
+                    // and stop the first time we find an element or component frame.
+                    ref var attributeFrame = ref _entries.Buffer[j];
+                    if (attributeFrame.FrameType == RenderTreeFrameType.Component)
+                    {
+                        // If we were processing a component, ignore the values
+                        // as this feature is only for HTML elements.
+                        submitHanderNameIndex = -1;
+                        submitHandlerIndex = -1;
+                        break;
+                    }
+                    else if (attributeFrame.FrameType == RenderTreeFrameType.Element)
+                    {
+                        // We are at the end of the elements sequence
+                        break;
+                    }
+                    if (string.Equals(attributeFrame.AttributeName, "onsubmit", StringComparison.Ordinal))
+                    {
+                        submitHandlerIndex = j;
+                    }
+                    else if (string.Equals(attributeFrame.AttributeName, "@onsubmit:name", StringComparison.Ordinal))
+                    {
+                        submitHanderNameIndex = j;
+                    }
+
+                    if (submitHandlerIndex != -1 && submitHanderNameIndex != -1)
+                    {
+                        // We found a pair, add it to the dictionary in case it was missing.
+                        _seenEventHandlerNames ??= new Dictionary<string, int>(SimplifiedStringHashComparer.Instance);
+                        var eventHandlerName = _entries.Buffer[submitHanderNameIndex].AttributeValue;
+                        _seenEventHandlerNames[(eventHandlerName as string)!] = submitHandlerIndex;
+                        submitHanderNameIndex = -1;
+                        submitHandlerIndex = -1;
+                    }
+                    j--;
+                }
+                i = j;
+            }
+        }
         return _seenEventHandlerNames;
     }
 }

src/Components/Endpoints/src/DependencyInjection/RazorComponentsServiceCollectionExtensions.cs

@@ -6,6 +6,7 @@
 using Microsoft.AspNetCore.Components.Binding;
 using Microsoft.AspNetCore.Components.Endpoints;
 using Microsoft.AspNetCore.Components.Endpoints.DependencyInjection;
+using Microsoft.AspNetCore.Components.Endpoints.Forms;
 using Microsoft.AspNetCore.Components.Forms;
 using Microsoft.AspNetCore.Components.Infrastructure;
 using Microsoft.AspNetCore.Components.Routing;
@@ -30,6 +31,9 @@ public static class RazorComponentsServiceCollectionExtensions
     [RequiresUnreferencedCode("Razor Components does not currently support native AOT.", Url = "https://aka.ms/aspnet/nativeaot")]
     public static IRazorComponentsBuilder AddRazorComponents(this IServiceCollection services)
     {
+        // Dependencies
+        services.AddAntiforgery();
+
         services.TryAddSingleton<RazorComponentsMarkerService>();
 
         // Results
@@ -60,7 +64,7 @@ public static IRazorComponentsBuilder AddRazorComponents(this IServiceCollection
         services.TryAddScoped<IFormValueSupplier, DefaultFormValuesSupplier>();
         services.TryAddEnumerable(ServiceDescriptor.Scoped<CascadingModelBindingProvider, CascadingQueryModelBindingProvider>());
         services.TryAddEnumerable(ServiceDescriptor.Scoped<CascadingModelBindingProvider, CascadingFormModelBindingProvider>());
-
+        services.TryAddScoped<AntiforgeryStateProvider, EndpointAntiforgeryStateProvider>();
         return new DefaultRazorComponentsBuilder(services);
     }
 

src/Components/Endpoints/src/Forms/EndpointAntiforgeryStateProvider.cs

@@ -0,0 +1,38 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using Microsoft.AspNetCore.Antiforgery;
+using Microsoft.AspNetCore.Components.Forms;
+using Microsoft.AspNetCore.Http;
+
+namespace Microsoft.AspNetCore.Components.Endpoints.Forms;
+
+internal class EndpointAntiforgeryStateProvider(IAntiforgery antiforgery, PersistentComponentState state) : AntiforgeryStateProvider(state)
+{
+    private HttpContext? _context;
+
+    internal void SetRequestContext(HttpContext context)
+    {
+        _context = context;
+    }
+
+    public override AntiforgeryRequestToken? GetAntiforgeryToken()
+    {
+        if (_context == null)
+        {
+            return null;
+        }
+
+        // We already have a callback setup to generate the token when the response starts if needed.
+        // If we need the tokens before we start streaming the response, we'll generate and store them;
+        // otherwise we'll just retrieve them.
+        // In case there are no tokens available, we are going to return null and no-op.
+        var tokens = !_context.Response.HasStarted ? antiforgery.GetAndStoreTokens(_context) : antiforgery.GetTokens(_context);
+        if (tokens.RequestToken is null)
+        {
+            return null;
+        }
+
+        return new AntiforgeryRequestToken(tokens.RequestToken, tokens.FormFieldName);
+    }
+}

src/Components/Endpoints/src/Microsoft.AspNetCore.Components.Endpoints.csproj

@@ -44,6 +44,7 @@
   </ItemGroup>
 
   <ItemGroup>
+    <Reference Include="Microsoft.AspNetCore.Antiforgery" />
     <Reference Include="Microsoft.AspNetCore.Components.Authorization" />
     <Reference Include="Microsoft.AspNetCore.Components.Web" />
     <Reference Include="Microsoft.AspNetCore.DataProtection.Extensions" />

src/Components/Endpoints/src/RazorComponentEndpointInvoker.cs

@@ -2,9 +2,11 @@
 // The .NET Foundation licenses this file to you under the MIT license.
 
 using System.Buffers;
+using System.Diagnostics;
 using System.Diagnostics.CodeAnalysis;
 using System.Text;
 using System.Text.Encodings.Web;
+using Microsoft.AspNetCore.Antiforgery;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.WebUtilities;
 using Microsoft.Extensions.DependencyInjection;
@@ -36,13 +38,23 @@ private async Task RenderComponentCore()
         _context.Response.ContentType = RazorComponentResultExecutor.DefaultContentType;
         _renderer.InitializeStreamingRenderingFraming(_context);
 
-        if (!await TryValidateRequestAsync(out var isPost, out var handler))
+        var antiforgery = _context.RequestServices.GetRequiredService<IAntiforgery>();
+        var (valid, isPost, handler) = await ValidateRequestAsync(antiforgery);
+        if (!valid)
         {
             // If the request is not valid we've already set the response to a 400 or similar
             // and we can just exit early.
             return;
         }
 
+        _context.Response.OnStarting(() =>
+        {
+            // Generate the antiforgery tokens before we start streaming the response, as it needs
+            // to set the cookie header.
+            antiforgery.GetAndStoreTokens(_context);
+            return Task.CompletedTask;
+        });
+
         await EndpointHtmlRenderer.InitializeStandardComponentServicesAsync(
             _context,
             componentType: _componentType,
@@ -89,16 +101,21 @@ await EndpointHtmlRenderer.InitializeStandardComponentServicesAsync(
         await writer.FlushAsync();
     }
 
-    private Task<bool> TryValidateRequestAsync(out bool isPost, out string? handler)
+    private async Task<RequestValidationState> ValidateRequestAsync(IAntiforgery antiforgery)
     {
-        handler = null;
-        isPost = HttpMethods.IsPost(_context.Request.Method);
+        var isPost = HttpMethods.IsPost(_context.Request.Method);
         if (isPost)
         {
-            return Task.FromResult(TrySetFormHandler(out handler));
+            var valid = await antiforgery.IsRequestValidAsync(_context);
+            if (!valid)
+            {
+                _context.Response.StatusCode = StatusCodes.Status400BadRequest;
+            }
+            var formValid = TrySetFormHandler(out var handler);
+            return new(valid && formValid, isPost, handler);
         }
 
-        return Task.FromResult(true);
+        return new(true, false, null);
     }
 
     private bool TrySetFormHandler([NotNullWhen(true)] out string? handler)
@@ -128,4 +145,26 @@ private static TextWriter CreateResponseWriter(Stream bodyStream)
         const int DefaultBufferSize = 16 * 1024;
         return new HttpResponseStreamWriter(bodyStream, Encoding.UTF8, DefaultBufferSize, ArrayPool<byte>.Shared, ArrayPool<char>.Shared);
     }
+
+    [DebuggerDisplay($"{{{nameof(GetDebuggerDisplay)}(),nq}}")]
+    private readonly struct RequestValidationState(bool isValid, bool isPost, string? handlerName)
+    {
+        public bool IsValid => isValid;
+
+        public bool IsPost => isPost;
+
+        public string? HandlerName => handlerName;
+
+        private string GetDebuggerDisplay()
+        {
+            return $"{nameof(RequestValidationState)}: {IsValid} {IsPost} {HandlerName}";
+        }
+
+        public void Deconstruct(out bool isValid, out bool isPost, out string? handlerName)
+        {
+            isValid = IsValid;
+            isPost = IsPost;
+            handlerName = HandlerName;
+        }
+    }
 }

src/Components/Endpoints/src/Rendering/EndpointHtmlRenderer.cs

@@ -6,6 +6,7 @@
 using System.Text;
 using Microsoft.AspNetCore.Components.Authorization;
 using Microsoft.AspNetCore.Components.Endpoints.DependencyInjection;
+using Microsoft.AspNetCore.Components.Endpoints.Forms;
 using Microsoft.AspNetCore.Components.Forms;
 using Microsoft.AspNetCore.Components.HtmlRendering.Infrastructure;
 using Microsoft.AspNetCore.Components.Infrastructure;
@@ -88,6 +89,12 @@ internal static async Task InitializeStandardComponentServicesAsync(
             formData.SetFormData(handler, new FormCollectionReadOnlyDictionary(form));
         }
 
+        var antiforgery = httpContext.RequestServices.GetRequiredService<AntiforgeryStateProvider>();
+        if (antiforgery is EndpointAntiforgeryStateProvider endpointAntiforgery)
+        {
+            endpointAntiforgery.SetRequestContext(httpContext);
+        }
+
         // It's important that this is initialized since a component might try to restore state during prerendering
         // (which will obviously not work, but should not fail)
         var componentApplicationLifetime = httpContext.RequestServices.GetRequiredService<ComponentStatePersistenceManager>();

src/Components/Endpoints/test/EndpointHtmlRendererTest.cs

@@ -4,6 +4,7 @@
 using System.Text.Encodings.Web;
 using System.Text.Json;
 using System.Text.RegularExpressions;
+using Microsoft.AspNetCore.Components.Endpoints.Forms;
 using Microsoft.AspNetCore.Components.Endpoints.Tests.TestComponents;
 using Microsoft.AspNetCore.Components.Forms;
 using Microsoft.AspNetCore.Components.Infrastructure;
@@ -1297,6 +1298,11 @@ private static ServiceCollection CreateDefaultServiceCollection()
         services.AddSingleton(sp => sp.GetRequiredService<ComponentStatePersistenceManager>().State);
         services.AddSingleton<ServerComponentSerializer>();
         services.AddSingleton<FormDataProvider, HttpContextFormDataProvider>();
+        services.AddAntiforgery();
+        services.AddSingleton<ComponentStatePersistenceManager>();
+        services.AddSingleton<PersistentComponentState>(sp => sp.GetRequiredService<ComponentStatePersistenceManager>().State);
+        services.AddSingleton<AntiforgeryStateProvider, EndpointAntiforgeryStateProvider>();
+
         return services;
     }
 

src/Components/Endpoints/test/RazorComponentResultExecutorTest.cs

@@ -15,6 +15,7 @@
 using Microsoft.AspNetCore.Components.Endpoints.Tests.TestComponents;
 using System.Text.RegularExpressions;
 using Microsoft.AspNetCore.Components.Forms;
+using Microsoft.AspNetCore.Components.Endpoints.Forms;
 
 namespace Microsoft.AspNetCore.Components.Endpoints;
 
@@ -403,6 +404,7 @@ public static DefaultHttpContext GetTestHttpContext(string environmentName = nul
         var mockWebHostEnvironment = Mock.Of<IWebHostEnvironment>(
             x => x.EnvironmentName == (environmentName ?? Environments.Production));
         var serviceCollection = new ServiceCollection()
+            .AddAntiforgery()
             .AddSingleton(new DiagnosticListener("test"))
             .AddSingleton<IWebHostEnvironment>(mockWebHostEnvironment)
             .AddSingleton<RazorComponentResultExecutor>()
@@ -413,6 +415,9 @@ public static DefaultHttpContext GetTestHttpContext(string environmentName = nul
             .AddSingleton<ComponentStatePersistenceManager>()
             .AddSingleton<IDataProtectionProvider, FakeDataProtectionProvider>()
             .AddSingleton<FormDataProvider, HttpContextFormDataProvider>()
+            .AddSingleton<ComponentStatePersistenceManager>()
+            .AddSingleton<PersistentComponentState>(sp => sp.GetRequiredService<ComponentStatePersistenceManager>().State)
+            .AddSingleton<AntiforgeryStateProvider, EndpointAntiforgeryStateProvider>()
             .AddLogging();
 
         var result = new DefaultHttpContext { RequestServices = serviceCollection.BuildServiceProvider() };

src/Components/Samples/BlazorUnitedApp/Pages/Index.razor

@@ -1,11 +1,11 @@
 @page "/"
-
 <PageTitle>Index</PageTitle>
 
-<h1>@Parameter</h1>
+<h1>@Value?.Parameter</h1>
 
-<EditForm method="POST" Model="Parameter">
-    <InputText @bind-Value="Parameter" />
+<EditForm method="POST" Model="Value?.Parameter">
+    <InputText @bind-Value="Value!.Parameter" />
+    <AntiforgeryToken />
     <input type="submit" value="Send" />
 </EditForm>
 
@@ -15,11 +15,15 @@
 }
 
 @code{
-    [SupplyParameterFromForm] string Parameter { get; set; } = "Hello, world!";
+    [SupplyParameterFromForm] Data? Value { get; set; }
+
+    protected override void OnInitialized() => Value ??= new();
 
     bool _submitted = false;
-    public void Submit()
+    public void Submit() => _submitted = true;
+
+    public class Data
     {
-        _submitted = true;
+        public string Parameter { get; set; } = "";
     }
 }

src/Components/Server/src/DependencyInjection/ComponentServiceCollectionExtensions.cs

@@ -69,6 +69,7 @@ public static IServerSideBlazorBuilder AddServerSideBlazor(this IServiceCollecti
         services.TryAddSingleton<ComponentParametersTypeCache>();
         services.TryAddSingleton<CircuitIdFactory>();
         services.TryAddScoped<IErrorBoundaryLogger, RemoteErrorBoundaryLogger>();
+        services.TryAddScoped<AntiforgeryStateProvider>();
 
         services.TryAddScoped(s => s.GetRequiredService<ICircuitAccessor>().Circuit);
         services.TryAddScoped<ICircuitAccessor, DefaultCircuitAccessor>();