This code was popping up everywhere this method is called. Seems bad to
duplicate it. Really what the caller wants to know is 'is the request
valid or a potential CSRF exploit?'. This gets the API closer to that.
- #23 part 3
- `Get[AndStore]Tokens()` would deserialize cookie token from request even if `IsRequestValidAsync()` already had
- `GetAndStoreTokens()` serialized an old (never saved) cookie token once and a new one twice
- refactor serialization from `DefaultAntiforgeryTokenStore` to `DefaultAntiforgery`
- divide responsibilities and ease overall fix
- above refactoring took `IAntiforgeryContextAccessor` responsibilities along to `DefaultAntiforgery` as well
- store all tokens in `IAntiforgeryContextAccessor` to avoid repeated (de)serializations
- remove `AntiforgeryTokenSetInternal`
nits:
- bit more parameter renaming to `httpContext`
- remove argument checks in helper methods
- did _not_ do a sweep through the repo; just files in this PR
My earlier change to add TryValidateRequestAsync didn't go far enough,
because the store will still throw when the tokens aren't present. This
change is to make the store just return null tokens in these cases, and
move the exceptions to DefaultAntiforgery.
Some other misc cleanup
- docs for IAntiforgeryTokenGenerator
- Add HttpContext parameter where to all IAntiforgeryGenerator methods
- rename parameters on DefaultAntiforgery
Ajay Bhargav Baaskaran
Ryan Nowak
Kiran Challa
Doug Bunting
ryanbrandenburg
N. Taylor Mullen