Explicitly calling app.UseRouting() in Blazor Web App results in exception that antiforgery middleware is missing

[danroth27]

If I add an explicit call to app.UseRouting() in a Blazor Web App, I get the following exception:

"Endpoint / (/) contains anti-forgery metadata, but a middleware was not found that supports anti-forgery."

Repro steps:

• Create a Blazor Web App
• Update Program.cs to call app.UseRouting() explicitly:

app.UseRouting();
app.MapRazorComponents<App>();

• Run the app

Expected result: App runs without error
Actual result: Exception saying that the antiforgery middleware is required
Workaround: Adding the antiforgery middleware resolves the issue

.NET SDK version: 8.0.100-preview.7.23375.2

[danroth27]

@captainsafia

[captainsafia]

This is expected behavior given how we treat the anti-forgery middleware. Like other security-related middlewares, you get an exception at startup if there is an endpoint that contains metadata that the middleware needs to read (like the IAntiforgeryTokenMetadata here).

The WebApplicationBuilder takes care of adding this middleware automatically when antiforgery services are registered (which AddRazorComponents does), so you shouldn't see this exception.

I'm able to repro this behavior in a standalone sample app, but not in the "Blazor United App" in the repo when I try to debug, so something fishy is going on here. I'll see if I can track it down.

Edit: I was able to reproduce this in repo and it turns out there is an underlying issue here with the ordering of the implicit middlewares configured via the builder. They are running before routing executes so they don't have access to an endpoint.