Adding ValidateAntiForgeryTokenAttribute also fixing a bug in token deserialization.

2014-05-01 10:20:48 -07:00 · 2014-05-01 10:20:48 -07:00 · b444f66689
parent 904c91d2b9
commit b444f66689
4 changed files with 77 additions and 4 deletions
--- a/src/Microsoft.AspNet.Mvc.Core/AntiForgery/AntiForgeryTokenSerializer.cs
+++ b/src/Microsoft.AspNet.Mvc.Core/AntiForgery/AntiForgeryTokenSerializer.cs
@ -38,11 +38,12 @@ namespace Microsoft.AspNet.Mvc
            Exception innerException = null;
            try
            {
-                using (MemoryStream stream = new MemoryStream(UrlTokenDecode(serializedToken)))
+                var tokenBytes = UrlTokenDecode(serializedToken);
+                using (var stream = new MemoryStream(_cryptoSystem.Unprotect(tokenBytes)))
                {
-                    using (BinaryReader reader = new BinaryReader(stream))
+                    using (var reader = new BinaryReader(stream))
                    {
-                        AntiForgeryToken token = DeserializeImpl(reader);
+                        var token = DeserializeImpl(reader);
                        if (token != null)
                        {
                            return token;
@ -64,7 +65,7 @@ namespace Microsoft.AspNet.Mvc
         * Version: 1 byte integer
         * SecurityToken: 16 byte binary blob
         * IsSessionToken: 1 byte Boolean
-         * [if IsSessionToken = true]
+         * [if IsSessionToken != true]
         *   +- IsClaimsBased: 1 byte Boolean
         *   |  [if IsClaimsBased = true]
         *   |    `- ClaimUid: 32 byte binary blob
--- a/src/Microsoft.AspNet.Mvc.Core/Filters/ValidateAntiForgeryTokenAttribute.cs
+++ b/src/Microsoft.AspNet.Mvc.Core/Filters/ValidateAntiForgeryTokenAttribute.cs
@ -0,0 +1,34 @@
+// Copyright (c) Microsoft Open Technologies, Inc.
+// All Rights Reserved
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
+// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
+// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
+// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
+// NON-INFRINGEMENT.
+// See the Apache 2 License for the specific language governing
+// permissions and limitations under the License.
+
+using System;
+using Microsoft.Framework.DependencyInjection;
+
+namespace Microsoft.AspNet.Mvc
+{
+    [AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = false, Inherited = true)]
+    public class ValidateAntiForgeryTokenAttribute : Attribute, IFilterFactory, IOrderedFilter
+    {
+        public int Order { get; set; }
+
+        public IFilter CreateInstance(IServiceProvider serviceProvider)
+        {
+            var antiForgery = serviceProvider.GetService<AntiForgery>();
+            return new ValidateAntiForgeryTokenAuthorizationFilter(antiForgery);
+        }
+    }
+}
--- a/src/Microsoft.AspNet.Mvc.Core/Filters/ValidateAntiForgeryTokenAuthorizationFilter.cs
+++ b/src/Microsoft.AspNet.Mvc.Core/Filters/ValidateAntiForgeryTokenAuthorizationFilter.cs
@ -0,0 +1,36 @@
+// Copyright (c) Microsoft Open Technologies, Inc.
+// All Rights Reserved
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
+// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
+// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
+// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
+// NON-INFRINGEMENT.
+// See the Apache 2 License for the specific language governing
+// permissions and limitations under the License.
+
+using System.Threading.Tasks;
+
+namespace Microsoft.AspNet.Mvc
+{
+    public class ValidateAntiForgeryTokenAuthorizationFilter : IAsyncAuthorizationFilter
+    {
+        private readonly AntiForgery _antiForgery;
+        
+        public ValidateAntiForgeryTokenAuthorizationFilter([NotNull] AntiForgery antiForgery)
+        {
+            _antiForgery = antiForgery;
+        }
+
+        public async Task OnAuthorizationAsync([NotNull] AuthorizationContext context)
+        {
+            await _antiForgery.ValidateAsync(context.HttpContext);
+        }
+    }
+}
--- a/src/Microsoft.AspNet.Mvc.Core/Microsoft.AspNet.Mvc.Core.kproj
+++ b/src/Microsoft.AspNet.Mvc.Core/Microsoft.AspNet.Mvc.Core.kproj
@ -110,6 +110,8 @@
    <Compile Include="Filters\ResultExecutionDelegate.cs" />
    <Compile Include="Filters\ResultFilterAttribute.cs" />
    <Compile Include="Filters\ServiceFilterAttribute.cs" />
+    <Compile Include="Filters\ValidateAntiForgeryTokenAttribute.cs" />
+    <Compile Include="Filters\ValidateAntiForgeryTokenAuthorizationFilter.cs" />
    <Compile Include="FormContext.cs" />
    <Compile Include="HttpDeleteAttribute.cs" />
    <Compile Include="HttpGetAttribute.cs" />