* Use suggested Antiforgery AJAX patern.

2016-01-11 14:45:11 -08:00 · 2016-01-11 14:45:11 -08:00 · a182eca6d4
parent 6d91b8d9fd
commit a182eca6d4
4 changed files with 8 additions and 27 deletions
--- a/src/MusicStore/Controllers/ShoppingCartController.cs
+++ b/src/MusicStore/Controllers/ShoppingCartController.cs
@ -1,10 +1,8 @@
 using System.Linq;
 using System.Threading;
 using System.Threading.Tasks;
-using Microsoft.AspNet.Antiforgery;
 using Microsoft.AspNet.Mvc;
 using Microsoft.Data.Entity;
-using Microsoft.Extensions.Primitives;
 using MusicStore.Models;
 using MusicStore.ViewModels;

@ -59,28 +57,11 @@ namespace MusicStore.Controllers
        //
        // AJAX: /ShoppingCart/RemoveFromCart/5
        [HttpPost]
+        [ValidateAntiForgeryToken]
        public async Task<IActionResult> RemoveFromCart(
-            [FromServices] IAntiforgery antiforgery,
            int id,
            CancellationToken requestAborted)
        {
-            var cookieToken = string.Empty;
-            var formToken = string.Empty;
-            StringValues tokenHeaders;
-            string[] tokens = null;
-
-            if (HttpContext.Request.Headers.TryGetValue("RequestVerificationToken", out tokenHeaders))
-            {
-                tokens = tokenHeaders.First().Split(':');
-                if (tokens != null && tokens.Length == 2)
-                {
-                    cookieToken = tokens[0];
-                    formToken = tokens[1];
-                }
-            }
-
-            antiforgery.ValidateTokens(HttpContext, new AntiforgeryTokenSet(formToken, cookieToken));
-
            // Retrieve the current user's shopping cart
            var cart = ShoppingCart.GetCart(DbContext, HttpContext);

--- a/src/MusicStore/Startup.cs
+++ b/src/MusicStore/Startup.cs
@ -1,5 +1,4 @@
 using Microsoft.AspNet.Builder;
-using Microsoft.AspNet.Hosting;
 using Microsoft.AspNet.Identity.EntityFramework;
 using Microsoft.Data.Entity;
 using Microsoft.Extensions.Configuration;
--- a/src/MusicStore/Views/ShoppingCart/Index.cshtml
+++ b/src/MusicStore/Views/ShoppingCart/Index.cshtml
@ -6,10 +6,9 @@

@functions
 {
-    public string GetAntiXsrfToken()
+    public string GetAntiXsrfRequestToken()
    {
-        var tokens = Xsrf.GetTokens(Context);
-        return tokens.CookieToken + ":" + tokens.RequestToken;
+        return Xsrf.GetAndStoreTokens(Context).RequestToken;
    }
 }

@ -26,10 +25,12 @@
                    // Perform the ajax post
                    $.ajax(PostToUrl, {
                        type: "post",
-                        data: { "id": recordToDelete },
+                        data: {
+                            "id": recordToDelete
+                        },
                        dataType: "json",
                        headers: {
-                            "RequestVerificationToken": '@GetAntiXsrfToken()'
+                            "RequestVerificationToken": '@GetAntiXsrfRequestToken()'
                        }
                    }).done(function (data) {
                        // Successful requests get here
--- a/test/MusicStore.Test/ShoppingCartControllerTest.cs
+++ b/test/MusicStore.Test/ShoppingCartControllerTest.cs
@ -188,7 +188,7 @@ namespace MusicStore.Controllers
            controller.ControllerContext.HttpContext = httpContext;

            // Act
-            var result = await controller.RemoveFromCart(antiForgery, cartItemId, CancellationToken.None);
+            var result = await controller.RemoveFromCart(cartItemId, CancellationToken.None);

            // Assert
            var jsonResult = Assert.IsType<JsonResult>(result);