Consider making Antiforgery a middleware #38338
Description
Antiforgery is currently implemented as a MVC auth filter. This means it's unavailable to frameworks other than MVC unless someone wrote their own code using IAntiforgery. This issue tracks migrating it to a middleware akin to auth and CORS.
- Create an Antiforgery middleware that is endpoint aware. Possible enhancement: We could make one that is not bound to endpoint similar to CORS or Auth that is on all the time but applies to non-idempotent requests with form content.
- Add startup analyzer that ensures antiforgery middleware appears after routing and AuthZ middlewares.
- Update the EndpointMiddleware to add a check that verifies that antiforgery middleware ran if the endpoint has antiforgery metadata.
- Update MVC so that
ValidateAntiforgeryTokenAttribute/AutoValidateAntiforgeryTokenAttributedo not add filters to the filter pipeline. This is slightly tricky because they are filters unlike AuthorizeAttribute and EnableCorsAttribute which are just metadata.
Initial API:
namespace Microsoft.AspNetCore.Builder
{
+ public static class AntiforgeryMiddlewareExtensions
+ {
+ public static IApplicationBuilder UseAntiforgery(this IApplicationBuilder app);
+ }
}
namespace Microsoft.AspNetCore.Http.Metadata
{
+ public interface IAntiforgeryMetadata { }
+ public interface IValidateAntiforgeryMetadata : IAntiforgeryMetadata
+ {
+ bool ValidateIdempotentRequests { get; }
+ }
// note that there isn't a IIgnoreAntiforgeryMetadata. We'll use the presence of IAntiforgeryMetadata that isn't IValidateAntiforgeryMetadata as ignore.
}