Skip to content
This repository has been archived by the owner on Nov 22, 2018. It is now read-only.

Provide appropriate error message in case of missing antiforgery tokens #5

Closed
rynowak opened this issue Jun 25, 2015 · 3 comments
Closed

Provide appropriate error message in case of missing antiforgery tokens #5

rynowak opened this issue Jun 25, 2015 · 3 comments
Assignees
@rynowak
Labels
3 - Done bug
Milestone
1.0.0-beta7

Comments

@rynowak
Copy link
Member

rynowak commented Jun 25, 2015

Moved from: aspnet/Mvc#1210

Scenario as mentioned in below article:
http://www.asp.net/web-api/overview/security/preventing-cross-site-request-forgery-(csrf)-attacks

The error message says The required anti-forgery cookie "__RequestVerificationToken" is not present...notice that it mentions the form field name here...

services.AddSingleton<CustomAntiForgeryTokenFilter>();

//---------------------------------

public class CustomAntiForgeryTokenFilter : IAuthorizationFilter
{
    private readonly AntiForgery _antiForgery;

    public CustomAntiForgeryTokenFilter(AntiForgery antiForgery)
    {
        _antiForgery = antiForgery;
    }

    public void OnAuthorization(AuthorizationContext context)
    {
        string cookieToken = string.Empty;
        string formToken = string.Empty;

        string[] tokenHeaders;
        if (context.HttpContext.Request.Headers.TryGetValue("RequestVerificationToken", out tokenHeaders))
        {
            string[] tokens = tokenHeaders[0].Split(':');
            cookieToken = tokens[0].Trim();
            formToken = tokens[1].Trim();
        }

        _antiForgery.Validate(context.HttpContext, cookieToken, formToken);
    }
}

//---------------------------------

[ServiceFilter(typeof(CustomAntiForgeryTokenFilter), Order = 1)]
[Authorize(Order = 2)]
public class ValuesController : Controller
{
    [HttpPost("api/values")]
    public Person Create([FromBody]Person data)
    {

        return data;
    }
}

Error Message

System.InvalidOperationException: The required anti-forgery cookie "__RequestVerificationToken" is not present.
at Microsoft.AspNet.Mvc.TokenProvider.ValidateTokens(HttpContext httpContext, ClaimsIdentity identity, AntiForgeryToken sessionToken, AntiForgeryToken fieldToken)
at Microsoft.AspNet.Mvc.AntiForgeryWorker.Validate(HttpContext httpContext, String cookieToken, String formToken)
at Microsoft.AspNet.Mvc.AntiForgery.Validate(HttpContext context, String cookieToken, String formToken)
at WebApplication10.CustomAntiForgeryTokenFilter.OnAuthorizationAsync(AuthorizationContext context) in C:\Users\kichalla\Documents\Visual Studio 14\Projects\WebApplication10\src\WebApplication10\CustomAntiForgeryTokenFilterAttribute.cs:line 33
at Microsoft.AspNet.Mvc.FilterActionInvoker.<InvokeAuthorizationFilter>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.AspNet.Mvc.FilterActionInvoker.<InvokeActionAuthorizationFilters>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.AspNet.Mvc.FilterActionInvoker.<InvokeExceptionFilter>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at Microsoft.AspNet.Mvc.FilterActionInvoker.<InvokeAsync>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.AspNet.Mvc.ReflectedActionInvoker.<InvokeAsync>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(Task task)
at Microsoft.AspNet.Mvc.MvcRouteHandler.<RouteAsync>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.AspNet.Routing.Template.TemplateRoute.<RouteAsync>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.AspNet.Mvc.Routing.AttributeRoute.<RouteAsync>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.AspNet.Routing.RouteCollection.<RouteAsync>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.AspNet.Builder.RouterMiddleware.<Invoke>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.AspNet.Security.Infrastructure.AuthenticationMiddleware`1.<Invoke>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.AspNet.Security.Infrastructure.AuthenticationMiddleware`1.<Invoke>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.AspNet.Security.Infrastructure.AuthenticationMiddleware`1.<Invoke>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.AspNet.Security.Infrastructure.AuthenticationMiddleware`1.<Invoke>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.AspNet.RequestContainer.ContainerMiddleware.<Invoke>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.AspNet.Loader.IIS.KlrHttpApplication.<ProcessRequestAsyncImpl>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.AspNet.Loader.IIS.HttpApplicationBase.<InvokeProcessRequestAsyncImpl>d__1.MoveNext()
@rynowak
Copy link
Member Author

rynowak commented Jun 25, 2015

Looked into this more, the bug here is that the overload where the caller passes in the token, we're still including the form field name in the message. We have no idea where you got the token, this should thrown here as an ArgumentNullException and the proper exception thrown by the caller.

@rynowak rynowak mentioned this issue Jun 25, 2015
Closed
@muratg
Copy link

muratg commented Jul 7, 2015

@Tratcher

@danroth27 danroth27 added the bug label Jul 24, 2015
@danroth27 danroth27 added this to the 1.0.0-beta7 milestone Jul 24, 2015
rynowak added a commit that referenced this issue Jul 30, 2015
@rynowak
Fix #5 - better error message for missing tokens
76b5561 
This fix changes the model for error messaging in antiforgery. Now only
the token store will report a detailed error message including the names
of form field and cookie. Other components will give more generic errors
and assume that this was handled by the token store.

This way you still see an error if the user creates a token store that
doesn't throw, but it's a generic error that doesn't give incorrect
information.
@rynowak rynowak closed this as completed in 9bcecf3 Aug 6, 2015
@rynowak
Copy link
Member Author

rynowak commented Aug 6, 2015

9bcecf3

@rynowak rynowak added 3 - Done and removed 1 - Ready labels Aug 6, 2015
@yuwaMSFT yuwaMSFT mentioned this issue Mar 5, 2016
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@rynowak rynowak

Labels
3 - Done bug
Projects
None yet
Milestone
1.0.0-beta7
Development

No branches or pull requests
3 participants
@rynowak @muratg @danroth27