Starts in:
1 DAY
15 HRS
22 MIN
7 SEC
Starts in:
1 D
15 H
22 M
7 S
Open Closed

Want to disable CSRF/XSRF for API access because it is not working as expected and cannot disable it #1895


User avatar
0
ten3systems created

I am trying to work with multiple developers with API generated via template and they are complaining the cookie handling and XSRF token header is causing error 400 and redirects to the login page.

  • ABP Framework version: v4.2.2
  • UI type: MVC
  • DB provider: EF Core
  • Tiered (MVC) or Identity Server Separated (Angular): yes, tiered MVC
  • Exception message and stack trace:
  • Steps to reproduce the issue:
  1. spin up a project
  2. create an aggregate root with app service to automatically expose
  3. create a mobile react native app (or use POSTMAN to mimic the calls)
  4. try to call API endpoints of your appService from mobile app or POSTMAN using /api/app/{aggregate root endpoint}
  5. you will need to add RequestVerificationToken with value from XSRF cookies
  6. try to disable that requirement with this in webmodule configure startup:
            Configure<AbpAntiForgeryOptions>(options =>
            {
                options.AutoValidate = false;
            });
  1. in addition, try to disable at the controller level like
       [IgnoreAntiforgeryToken]
  1. Scratch your head because you can't figure out why the XSRF is a requirement with API and how you can disable it on automaticly exposed app service endpoints like CreateAsync() or UpdateAsync()

Errors I am seeing in the logs

[17:13:24 ERR] The required antiforgery header value "RequestVerificationToken" is not present.

  • if you do not provide the header value in a POST / PUT

[16:43:35 ERR] The provided antiforgery token was meant for a different claims-based user than the current user.

[16:43:44 ERR] The required antiforgery cookie ".AspNetCore.Antiforgery.9TtSrW0hzOs" is not present.

[16:44:18 ERR] The antiforgery cookie token and request token do not match.

[18:16:19 INF] Skipping the execution of current filter as its not the most effective filter implementing the policy Microsoft.AspNetCore.Mvc.ViewFeatures.IAntiforgeryPolicy

[18:19:05 ERR] The antiforgery token could not be decrypted.

  • if you use an old token value?

[18:20:33 ERR] The provided antiforgery token was meant for a different claims-based user than the current user.

  • if you do not use the fresh value of the XSRF-Token cookie from last request in this request

2 Answer(s)
  • User Avatar
    0
    ten3systems created

    Perhaps just allowing the client to send cookies it received from the response is forcing the API system to think that RequestVerificationToken is required?? If I clear out cookies in POSTMAN then it does not have the requirement to include the RequestVerificationToken header.

    Please confirm my understanding?

  • User Avatar
    1
    maliming created
    Support Team Fullstack Developer

    hi

    You can remove

    Configure<AbpAntiForgeryOptions>(options =>
    {
        options.AutoValidate = false;
    });
    
    [IgnoreAntiforgeryToken]
    

    No need to validate if antiforgery cookie is not sent. That means the request is sent from a non-browser client.

    Please do not carry Cookies when you call the API in POSTMAN.

Made with ❤️ on ABP v9.1.0-preview. Updated on November 20, 2024, 13:06