Ricardo Fontana Ricardo Fontana - 24 days ago 12
C# Question

Command equivalent to AntiForgery.Validate() in asp.net-core

Exists, in asp.net-core, a command similar to

AntiForgery.Validate();
to validate antiforgery token in the action body?

Code example in dotnet 4.5.1:

public ActionResult Index()
{
if (!User.Identity.IsAuthenticated)
{
System.Web.Helpers.AntiForgery.Validate();
}

// rest of action
}

Answer

Antiforgery token validation can be done automatically using filter attributes in your controllers.

  • Use [AutoValidateAntiforgeryToken] to validate the token on all "unsafe" methods. (Methods other than GET, HEAD, TRACE, OPTIONS).
  • Use [ValidateAntiforgeryToken] to always validate the token
  • Use [IgnoreAntiforgeryToken] to ignore token validation

You can combine these attributes to achieve the granularity you need. For example:

//Validate all 'unsafe' actions except the ones with the ignore attribute
[AutoValidateAntiforgeryToken]
public class MyApi: Controller
{
    [HttpPost]
    public IActionResult DoSomething(){ }
    [HttpPut]
    public IActionResult DoSomethingElse(){ }

    [IgnoreAntiforgeryToken]   
    public IActionResult DoSomethingSafe(){ }
}

//Validate only explicit actions
public class ArticlesController: Controller
{
    public IActionResult Index(){ }

    [ValidateAntiforgeryToken]
    [HttpPost]   
    public IActionResult Create(){ }
}

I have noticed the documentation isnt fully ready in the docs site, but you can see a draft of it in the github issue.