This change adds support for retrieving an antiforgery CSRF token via a
configurable header in addition to the form field. This helps with doing
ajax requests in a 1st-party SPA when using cookie auth, and is similar to
functionality provided by a bunch of different frameworks.
In this change there's also a bunch of churn due to avoiding the term
'form' in favor of 'request' and 'session' in favor of 'cookie'. Where
code and error message now mention 'form' they specifically mean
form-encoded content.
This fix changes the model for error messaging in antiforgery. Now only
the token store will report a detailed error message including the names
of form field and cookie. Other components will give more generic errors
and assume that this was handled by the token store.
This way you still see an error if the user creates a token store that
doesn't throw, but it's a generic error that doesn't give incorrect
information.
This change makes it possible to replace all of the various
IAntiforgery*** extensibility points via DI.
changes:
- Move functionality out of AntiforgeryWorker into Antiforgery
- Move services to DI (instead of constructed by Antiforgery)
- Cleanup how application/cookie-name is computed
- Merge IAntiforgeryTokenGenerator & IAntiforgeryTokenValidator
- Unseal classes
- Fix use of options in services
- Misc test cleanup
N. Taylor Mullen
John Luo
Victor Hurdugaci
Ajay Bhargav Baaskaran
ryanbrandenburg
Hao Kung
Ryan Nowak
Pranav K
Doug Bunting
Cesar Blum Silveira
Chris R
unknown