Throwing AntiforgeryValidationException for failure to deserializing tokens
This commit is contained in:
parent
0401377fe4
commit
d2c27104dd
|
|
@ -12,12 +12,23 @@ namespace Microsoft.AspNetCore.Antiforgery
|
||||||
{
|
{
|
||||||
/// <summary>
|
/// <summary>
|
||||||
/// Creates a new instance of <see cref="AntiforgeryValidationException"/> with the specified
|
/// Creates a new instance of <see cref="AntiforgeryValidationException"/> with the specified
|
||||||
/// exception <paramref name="message"/>.
|
/// exception message.
|
||||||
/// </summary>
|
/// </summary>
|
||||||
/// <param name="message">The message that describes the error.</param>
|
/// <param name="message">The message that describes the error.</param>
|
||||||
public AntiforgeryValidationException(string message)
|
public AntiforgeryValidationException(string message)
|
||||||
: base(message)
|
: base(message)
|
||||||
{
|
{
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Creates a new instance of <see cref="AntiforgeryValidationException"/> with the specified
|
||||||
|
/// exception message and inner exception.
|
||||||
|
/// </summary>
|
||||||
|
/// <param name="message">The message that describes the error.</param>
|
||||||
|
/// <param name="innerException">The inner <see cref="Exception"/>.</param>
|
||||||
|
public AntiforgeryValidationException(string message, Exception innerException)
|
||||||
|
: base(message, innerException)
|
||||||
|
{
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -8,6 +8,7 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
|
||||||
{
|
{
|
||||||
internal static class AntiforgeryLoggerExtensions
|
internal static class AntiforgeryLoggerExtensions
|
||||||
{
|
{
|
||||||
|
private static readonly Action<ILogger, Exception> _failedToDeserialzeTokens;
|
||||||
private static readonly Action<ILogger, string, Exception> _validationFailed;
|
private static readonly Action<ILogger, string, Exception> _validationFailed;
|
||||||
private static readonly Action<ILogger, Exception> _validated;
|
private static readonly Action<ILogger, Exception> _validated;
|
||||||
private static readonly Action<ILogger, string, Exception> _missingCookieToken;
|
private static readonly Action<ILogger, string, Exception> _missingCookieToken;
|
||||||
|
|
@ -54,6 +55,10 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
|
||||||
"The 'Cache-Control' and 'Pragma' headers have been overridden and set to 'no-cache, no-store' and " +
|
"The 'Cache-Control' and 'Pragma' headers have been overridden and set to 'no-cache, no-store' and " +
|
||||||
"'no-cache' respectively to prevent caching of this response. Any response that uses antiforgery " +
|
"'no-cache' respectively to prevent caching of this response. Any response that uses antiforgery " +
|
||||||
"should not be cached.");
|
"should not be cached.");
|
||||||
|
_failedToDeserialzeTokens = LoggerMessage.Define(
|
||||||
|
LogLevel.Debug,
|
||||||
|
9,
|
||||||
|
"Failed to deserialize antiforgery tokens.");
|
||||||
}
|
}
|
||||||
|
|
||||||
public static void ValidationFailed(this ILogger logger, string message)
|
public static void ValidationFailed(this ILogger logger, string message)
|
||||||
|
|
@ -95,5 +100,10 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
|
||||||
{
|
{
|
||||||
_responseCacheHeadersOverridenToNoCache(logger, null);
|
_responseCacheHeadersOverridenToNoCache(logger, null);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public static void FailedToDeserialzeTokens(this ILogger logger, Exception exception)
|
||||||
|
{
|
||||||
|
_failedToDeserialzeTokens(logger, exception);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -124,7 +124,10 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
|
||||||
// Extract cookie & request tokens
|
// Extract cookie & request tokens
|
||||||
AntiforgeryToken deserializedCookieToken;
|
AntiforgeryToken deserializedCookieToken;
|
||||||
AntiforgeryToken deserializedRequestToken;
|
AntiforgeryToken deserializedRequestToken;
|
||||||
DeserializeTokens(httpContext, tokens, out deserializedCookieToken, out deserializedRequestToken);
|
if (!TryDeserializeTokens(httpContext, tokens, out deserializedCookieToken, out deserializedRequestToken))
|
||||||
|
{
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
// Validate
|
// Validate
|
||||||
string message;
|
string message;
|
||||||
|
|
@ -197,6 +200,7 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
|
||||||
// Extract cookie & request tokens
|
// Extract cookie & request tokens
|
||||||
AntiforgeryToken deserializedCookieToken;
|
AntiforgeryToken deserializedCookieToken;
|
||||||
AntiforgeryToken deserializedRequestToken;
|
AntiforgeryToken deserializedRequestToken;
|
||||||
|
|
||||||
DeserializeTokens(
|
DeserializeTokens(
|
||||||
httpContext,
|
httpContext,
|
||||||
antiforgeryTokenSet,
|
antiforgeryTokenSet,
|
||||||
|
|
@ -430,6 +434,27 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
|
||||||
_options.HeaderName);
|
_options.HeaderName);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private bool TryDeserializeTokens(
|
||||||
|
HttpContext httpContext,
|
||||||
|
AntiforgeryTokenSet antiforgeryTokenSet,
|
||||||
|
out AntiforgeryToken cookieToken,
|
||||||
|
out AntiforgeryToken requestToken)
|
||||||
|
{
|
||||||
|
try
|
||||||
|
{
|
||||||
|
DeserializeTokens(httpContext, antiforgeryTokenSet, out cookieToken, out requestToken);
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
catch (AntiforgeryValidationException ex)
|
||||||
|
{
|
||||||
|
_logger.FailedToDeserialzeTokens(ex);
|
||||||
|
|
||||||
|
cookieToken = null;
|
||||||
|
requestToken = null;
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
private void DeserializeTokens(
|
private void DeserializeTokens(
|
||||||
HttpContext httpContext,
|
HttpContext httpContext,
|
||||||
AntiforgeryTokenSet antiforgeryTokenSet,
|
AntiforgeryTokenSet antiforgeryTokenSet,
|
||||||
|
|
|
||||||
|
|
@ -75,7 +75,7 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
|
||||||
}
|
}
|
||||||
|
|
||||||
// if we reached this point, something went wrong deserializing
|
// if we reached this point, something went wrong deserializing
|
||||||
throw new InvalidOperationException(Resources.AntiforgeryToken_DeserializationFailed, innerException);
|
throw new AntiforgeryValidationException(Resources.AntiforgeryToken_DeserializationFailed, innerException);
|
||||||
}
|
}
|
||||||
|
|
||||||
/* The serialized format of the anti-XSRF token is as follows:
|
/* The serialized format of the anti-XSRF token is as follows:
|
||||||
|
|
|
||||||
|
|
@ -51,7 +51,7 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
|
||||||
var testSerializer = new DefaultAntiforgeryTokenSerializer(_dataProtector.Object, _pool);
|
var testSerializer = new DefaultAntiforgeryTokenSerializer(_dataProtector.Object, _pool);
|
||||||
|
|
||||||
// Act & assert
|
// Act & assert
|
||||||
var ex = Assert.Throws<InvalidOperationException>(() => testSerializer.Deserialize(serializedToken));
|
var ex = Assert.Throws<AntiforgeryValidationException>(() => testSerializer.Deserialize(serializedToken));
|
||||||
Assert.Equal(@"The antiforgery token could not be decrypted.", ex.Message);
|
Assert.Equal(@"The antiforgery token could not be decrypted.", ex.Message);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue