From a182eca6d4409dcb3b9ec92f83109e03efd825c3 Mon Sep 17 00:00:00 2001 From: ryanbrandenburg Date: Mon, 11 Jan 2016 14:45:11 -0800 Subject: [PATCH] * Use suggested Antiforgery AJAX patern. --- .../Controllers/ShoppingCartController.cs | 21 +------------------ src/MusicStore/Startup.cs | 1 - .../Views/ShoppingCart/Index.cshtml | 11 +++++----- .../ShoppingCartControllerTest.cs | 2 +- 4 files changed, 8 insertions(+), 27 deletions(-) diff --git a/src/MusicStore/Controllers/ShoppingCartController.cs b/src/MusicStore/Controllers/ShoppingCartController.cs index 496aa11815..71bf0a6ba2 100644 --- a/src/MusicStore/Controllers/ShoppingCartController.cs +++ b/src/MusicStore/Controllers/ShoppingCartController.cs @@ -1,10 +1,8 @@ using System.Linq; using System.Threading; using System.Threading.Tasks; -using Microsoft.AspNet.Antiforgery; using Microsoft.AspNet.Mvc; using Microsoft.Data.Entity; -using Microsoft.Extensions.Primitives; using MusicStore.Models; using MusicStore.ViewModels; @@ -59,28 +57,11 @@ namespace MusicStore.Controllers // // AJAX: /ShoppingCart/RemoveFromCart/5 [HttpPost] + [ValidateAntiForgeryToken] public async Task RemoveFromCart( - [FromServices] IAntiforgery antiforgery, int id, CancellationToken requestAborted) { - var cookieToken = string.Empty; - var formToken = string.Empty; - StringValues tokenHeaders; - string[] tokens = null; - - if (HttpContext.Request.Headers.TryGetValue("RequestVerificationToken", out tokenHeaders)) - { - tokens = tokenHeaders.First().Split(':'); - if (tokens != null && tokens.Length == 2) - { - cookieToken = tokens[0]; - formToken = tokens[1]; - } - } - - antiforgery.ValidateTokens(HttpContext, new AntiforgeryTokenSet(formToken, cookieToken)); - // Retrieve the current user's shopping cart var cart = ShoppingCart.GetCart(DbContext, HttpContext); diff --git a/src/MusicStore/Startup.cs b/src/MusicStore/Startup.cs index ebe93b7bde..4ae206f7d9 100644 --- a/src/MusicStore/Startup.cs +++ b/src/MusicStore/Startup.cs @@ -1,5 +1,4 @@ using Microsoft.AspNet.Builder; -using Microsoft.AspNet.Hosting; using Microsoft.AspNet.Identity.EntityFramework; using Microsoft.Data.Entity; using Microsoft.Extensions.Configuration; diff --git a/src/MusicStore/Views/ShoppingCart/Index.cshtml b/src/MusicStore/Views/ShoppingCart/Index.cshtml index fe413a13be..421141865f 100644 --- a/src/MusicStore/Views/ShoppingCart/Index.cshtml +++ b/src/MusicStore/Views/ShoppingCart/Index.cshtml @@ -6,10 +6,9 @@ @functions { - public string GetAntiXsrfToken() + public string GetAntiXsrfRequestToken() { - var tokens = Xsrf.GetTokens(Context); - return tokens.CookieToken + ":" + tokens.RequestToken; + return Xsrf.GetAndStoreTokens(Context).RequestToken; } } @@ -26,10 +25,12 @@ // Perform the ajax post $.ajax(PostToUrl, { type: "post", - data: { "id": recordToDelete }, + data: { + "id": recordToDelete + }, dataType: "json", headers: { - "RequestVerificationToken": '@GetAntiXsrfToken()' + "RequestVerificationToken": '@GetAntiXsrfRequestToken()' } }).done(function (data) { // Successful requests get here diff --git a/test/MusicStore.Test/ShoppingCartControllerTest.cs b/test/MusicStore.Test/ShoppingCartControllerTest.cs index 3fbbd7223f..38a0d4f54a 100644 --- a/test/MusicStore.Test/ShoppingCartControllerTest.cs +++ b/test/MusicStore.Test/ShoppingCartControllerTest.cs @@ -188,7 +188,7 @@ namespace MusicStore.Controllers controller.ControllerContext.HttpContext = httpContext; // Act - var result = await controller.RemoveFromCart(antiForgery, cartItemId, CancellationToken.None); + var result = await controller.RemoveFromCart(cartItemId, CancellationToken.None); // Assert var jsonResult = Assert.IsType(result);