Activities of "Anjaneyulu"
Configure<AbpAntiForgeryOptions>(options => { options.AutoValidateIgnoredHttpMethods.Remove("GET"); //auto validate for GET requests });After I've configured the
AbpAntiForgeryOptionsas above, I could not send a successful GET request to my endpoints unless I provide aRequestVerificationTokenheader.
But if there is an interceptor and passes a
RequestVerificationTokenon behalf of me, I can successfully make a GET request as follow. (And we do it on Swagger UI)
So can you try to navigate the URL of one of your GET requests on the browser? I am not sure but "burpsuite" might be intercepting the request and passing the
RequestVerificationTokenautomatically (maybe you can check the header that it passed).
After adding this configuration we are not getting data for our Get request : -
Configure<AbpAntiForgeryOptions>(options => { options.AutoValidateIgnoredHttpMethods.Remove("GET"); //auto validate for GET requests });
But Adding this middleware , we are getting data but intercepting through burpsuite , removing request verification token and forwarding request is working fine.
public class SetRequestVerificationHeaderMiddleware { private readonly RequestDelegate _next; private readonly IAbpAntiForgeryManager _abpAntiForgeryManager;
public ValidateAntiForgeryTokenMiddleware(RequestDelegate next, IAbpAntiForgeryManager abpAntiForgeryManager)
{
_next = next;
_abpAntiForgeryManager = abpAntiForgeryManager;
}
public async Task Invoke(HttpContext context)
{
if (HttpMethods.IsGet(context.Request.Method))
{
var antiForgeryToken = await _abpAntiForgeryManager.GenerateToken();
context.Request.Headers["RequestVerificationToken"] = antiForgeryToken;
}
await _next(context);
}
}
//use middleware app.UseMiddleware<SetRequestVerificationHeaderMiddleware>();
Even Im not sure how burpsuite works.
Configure<AbpAntiForgeryOptions>(options => { options.AutoValidateIgnoredHttpMethods.Remove("GET"); //auto validate for GET requests });After I've configured the
AbpAntiForgeryOptionsas above, I could not send a successful GET request to my endpoints unless I provide aRequestVerificationTokenheader.
But if there is an interceptor and passes a
RequestVerificationTokenon behalf of me, I can successfully make a GET request as follow. (And we do it on Swagger UI)
So can you try to navigate the URL of one of your GET requests on the browser? I am not sure but "burpsuite" might be intercepting the request and passing the
RequestVerificationTokenautomatically (maybe you can check the header that it passed).
Thanks. I will check and Let you know
Hi @Anjaneyulu, you're not sending requests via Swagger right?
No. Actually we are intercepting the get request in burpsuite , removing the request verification token and forwarding the request to server. Should we consider burpsuite interpection as a swagger or postman request? I'm not sure.
Then you can create a middleware as below and get the generated cookie and pass it to the
RequestVerificationTokenheader.P.S. If your GET requests don't change the state (and it shouldn't in most cases), you don't need to add anti-forgery token validation, in my opinion.
public class SetRequestVerificationHeaderMiddleware { private readonly RequestDelegate _next; private readonly IAbpAntiForgeryManager _abpAntiForgeryManager; public ValidateAntiForgeryTokenMiddleware(RequestDelegate next, IAbpAntiForgeryManager abpAntiForgeryManager) { _next = next; _abpAntiForgeryManager = abpAntiForgeryManager; } public async Task Invoke(HttpContext context) { if (HttpMethods.IsGet(context.Request.Method)) { var antiForgeryToken = await _abpAntiForgeryManager.GenerateToken(); context.Request.Headers["RequestVerificationToken"] = antiForgeryToken; } await _next(context); } } //use middleware app.UseMiddleware<SetRequestVerificationHeaderMiddleware>();
We have added this configuration, but when we remove the request verification token from requests, response is still perfect. Are we missing something ? Please guide.
Hi @Anjaneyulu, I think you don't need to create a manual Anti Forgery Token Middleware. Instead, you can define
AbpAntiForgeryOptionsto enable auto validation for GET requests.Configure<AbpAntiForgeryOptions>(options => { //By default only POST requests auto validate anti forgery tokens. //In other word "GET", "HEAD", "TRACE" and "OPTIONS" HTTP methods are ignored. options.AutoValidateIgnoredHttpMethods.Remove("GET"); //auto validate for GET requests });See CSRF Anti Forgery documentation for more information
Hi @EngincanV , I have configured as you said
Configure<AbpAntiForgeryOptions>(options => { //By default only POST requests auto validate anti forgery tokens. //In other word "GET", "HEAD", "TRACE" and "OPTIONS" HTTP methods are ignored.
options.AutoValidateIgnoredHttpMethods.Remove("GET"); //auto validate for GET requests });
Im not receving any data in get request. Do i need to add anything else ?
- ABP Framework version: v5.0.0
- UI type: MVC
- DB provider: EF Core
- Tiered (MVC) or Identity Server Separated (Angular): no
- Exception message and stack trace:
- Steps to reproduce the issue:"
Create a project
Added Validate anitforgery token middleware in .Web project like this
public class ValidateAntiForgeryTokenMiddleware { private readonly RequestDelegate _next; private readonly IAntiforgery _antiforgery;
public ValidateAntiForgeryTokenMiddleware(RequestDelegate next, IAntiforgery antiforgery)
{
_next = next;
_antiforgery = antiforgery;
}
public async Task Invoke(HttpContext context)
{
if (HttpMethods.IsPost(context.Request.Method))
{
await _antiforgery.ValidateRequestAsync(context);
}
else if (HttpMethods.IsPut(context.Request.Method))
{
await _antiforgery.ValidateRequestAsync(context);
}
await _next(context);
}
}
public static class ApplicationBuilderExtensions
{
public static IApplicationBuilder UseAntiforgeryTokens(this IApplicationBuilder app)
{
return app.UseMiddleware<ValidateAntiForgeryTokenMiddleware>();
}
}
Added app.UseAntiforgeryTokens(); webmodule.
Intercept the requests in burpsuite and remove request verification token in repeater, but still the response is perfect.
Please let us know how to implement validate antiforgery token for both post and get requests as well.
ABP Framework version: v5.0.1
UI type: MVC
DB provider: EF Core
Tiered (MVC) or Identity Server Separated (Angular): no
Exception message and stack trace:
Steps to reproduce the issue:"
Step 1. We are enqueuing the emails by calling in our code * await _backgroundJobManager.EnqueueAsync(new EmailArgs() { //Object });
But in the below "ExecuteAsync" is being called multiple times in our code.
public class NotificationSendingJob : AsyncBackgroundJob<EmailArgs >, ITransientDependency
{
public NotificationSendingJob()
{
}
[UnitOfWork]
public override Task ExecuteAsync(EmailArgs args)
{
AsyncHelper.RunSync(() => SendNotification(args.TenantId, emailcontent));
return Task.FromResult(0);
}
}
We want to restrict it to single time.
hi
We could set the Application Cookie's path as per your reply, we are missing antiforgery token and not able to authenticate. Can you please help us.
hi
Is
Emailing\Templates\Templates\*.tplpath correct?Maybe
Emailing\Templates\*.tpl
I have updated the path. Also, tried setting build actions to copy always for embedded resources. But im getting the same issue.
<Project Sdk="Microsoft.NET.Sdk">
<Import Project="....\common.props" />
<PropertyGroup> <TargetFramework>netstandard2.0</TargetFramework> <RootNamespace>Test</RootNamespace> </PropertyGroup>
<ItemGroup> <ProjectReference Include="..\Test.Domain.Shared\Test.Domain.Shared.csproj" /> </ItemGroup>
<ItemGroup> <ProjectReference Include="....\modules\Volo.Account.Pro\src\Volo.Abp.Account.Pro.Shared.Application.Contracts\Volo.Abp.Account.Pro.Shared.Application.Contracts.csproj" /> <PackageReference Include="Volo.Abp.PermissionManagement.Application.Contracts" Version="4.4.2" /> <PackageReference Include="Volo.Abp.FeatureManagement.Application.Contracts" Version="4.4.2" /> <PackageReference Include="Volo.Abp.SettingManagement.Application.Contracts" Version="4.4.2" /> <PackageReference Include="Volo.Saas.Host.Application.Contracts" Version="4.4.2" /> <PackageReference Include="Volo.Abp.AuditLogging.Application.Contracts" Version="4.4.2" /> <ProjectReference Include="....\modules\Volo.Identity.Pro\src\Volo.Abp.Identity.Pro.Application.Contracts\Volo.Abp.Identity.Pro.Application.Contracts.csproj" /> <PackageReference Include="Volo.Abp.IdentityServer.Application.Contracts" Version="4.4.2" /> <ProjectReference Include="....\modules\Volo.Account.Pro\src\Volo.Abp.Account.Pro.Public.Application.Contracts\Volo.Abp.Account.Pro.Public.Application.Contracts.csproj" /> <ProjectReference Include="....\modules\Volo.Account.Pro\src\Volo.Abp.Account.Pro.Admin.Application.Contracts\Volo.Abp.Account.Pro.Admin.Application.Contracts.csproj" /> <PackageReference Include="Volo.Abp.LanguageManagement.Application.Contracts" Version="4.4.2" /> <ProjectReference Include="....\modules\Volo.TextTemplateManagement\src\Volo.Abp.TextTemplateManagement.Application.Contracts\Volo.Abp.TextTemplateManagement.Application.Contracts.csproj" /> <ProjectReference Include="....\modules\Volo.LeptonTheme\src\Volo.Abp.LeptonTheme.Management.Application.Contracts\Volo.Abp.LeptonTheme.Management.Application.Contracts.csproj" /> </ItemGroup>
<ItemGroup> <EmbeddedResource Include="Emailing\Templates*.tpl" /> <None Remove="Emailing\Templates*.tpl" /> </ItemGroup>
</Project>
hi
Can you share the csproj(ApplicationContractModule) file?
<Project Sdk="Microsoft.NET.Sdk">
<Import Project="..\..\common.props" />
<PropertyGroup>
<TargetFramework>netstandard2.0</TargetFramework>
<RootNamespace>Test</RootNamespace>
</PropertyGroup>
<ItemGroup>
<ProjectReference Include="..\Test.Domain.Shared\Test.Domain.Shared.csproj" />
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\..\modules\Volo.Account.Pro\src\Volo.Abp.Account.Pro.Shared.Application.Contracts\Volo.Abp.Account.Pro.Shared.Application.Contracts.csproj" />
<PackageReference Include="Volo.Abp.PermissionManagement.Application.Contracts" Version="4.4.2" />
<PackageReference Include="Volo.Abp.FeatureManagement.Application.Contracts" Version="4.4.2" />
<PackageReference Include="Volo.Abp.SettingManagement.Application.Contracts" Version="4.4.2" />
<PackageReference Include="Volo.Saas.Host.Application.Contracts" Version="4.4.2" />
<PackageReference Include="Volo.Abp.AuditLogging.Application.Contracts" Version="4.4.2" />
<ProjectReference Include="..\..\modules\Volo.Identity.Pro\src\Volo.Abp.Identity.Pro.Application.Contracts\Volo.Abp.Identity.Pro.Application.Contracts.csproj" />
<PackageReference Include="Volo.Abp.IdentityServer.Application.Contracts" Version="4.4.2" />
<ProjectReference Include="..\..\modules\Volo.Account.Pro\src\Volo.Abp.Account.Pro.Public.Application.Contracts\Volo.Abp.Account.Pro.Public.Application.Contracts.csproj" />
<ProjectReference Include="..\..\modules\Volo.Account.Pro\src\Volo.Abp.Account.Pro.Admin.Application.Contracts\Volo.Abp.Account.Pro.Admin.Application.Contracts.csproj" />
<PackageReference Include="Volo.Abp.LanguageManagement.Application.Contracts" Version="4.4.2" />
<ProjectReference Include="..\..\modules\Volo.TextTemplateManagement\src\Volo.Abp.TextTemplateManagement.Application.Contracts\Volo.Abp.TextTemplateManagement.Application.Contracts.csproj" />
<ProjectReference Include="..\..\modules\Volo.LeptonTheme\src\Volo.Abp.LeptonTheme.Management.Application.Contracts\Volo.Abp.LeptonTheme.Management.Application.Contracts.csproj" />
</ItemGroup>
<ItemGroup>
<EmbeddedResource Include="Emailing\Templates\Templates\*.tpl" />
<None Remove="Emailing\Templates\Templates\*.tpl" />
</ItemGroup>
</Project>
