Home > other >  Using ASP.NET Core 6 Web API Antiforgery Token in extern consumer (App) without Authentication
Using ASP.NET Core 6 Web API Antiforgery Token in extern consumer (App) without Authentication

Time:01-03

How can i use an Antiforgery Token in ASP.NET Core 6 Web API with an extern consumer like a iOS or Android App? I don't need user authentication for the requests. The app is hosted on another domain.

I have developed an Web API with an Antiforgery Token (Followed this link) and ASP.NET 6 Razor Pages. All is working perfekt. But how can i develop an extern App that uses this Web API? The Problem, i have no idea how can i create the Antiforgery Token from the "external" App? How can i configure the App to use the Web API with the Antiforgery Token?

CodePudding user response:

it is not necessary to implement Anti-Forgery Token protection against CSRF Attacks when building an API, most APIs are called from an external client, and the API protection is implemented using different methods:

  • using API Keys.
  • using Basic Authentication.
  • using OpenID Connect.

because what we want is to prevent malicious clients from calling our API.

however, if you're calling your API using Ajax from your website it is possible to integrate Anti-Forgery Token protection you can check this Answer on StackOverflow for more details on how to implement it.

but since you are going to call the API from an external app just go with one of the above methods.

check this article on Microsoft docs for more details on CSRF Attacks and how Anti-Forgery Token protection is implemented.

also, check this article from RedHat to get more informations about API security.

CodePudding user response:

I don't agree with the answer that "it is not necessary to implement Anti-Forgery Token protection against CSRF Attacks when building an API".

There is still a risk that somehow intruder can force the client app to send a malicious request.


To configure Anti-Forgery Protection in .NET Web API (without using MVC Views), you need to use the package Microsoft.AspNetCore.Antiforgery.

Keep in mind that there are two tokens which are being validated: a Cookie Token and a Request Token (from an HTTP header).

// Field
IAntiforgery _antiforgery;

var tokens = _antiforgery.GetAndStoreTokens(HttpContext);

As a result, tokens will contain the value:

{
    "CookieToken": "CfDJ8JPuS3COPd9AmHCMBz_IFVdVzR8cfeD2or9v3qMLlWgRiN812hKbkh4o8TpYl4AdA3uJ3FeoY3eozx59q_uSnloXl80nLEd6twLzkDdn4AifcsGWcwaAxWSrGTui0vwl7-SHjftCfkbj9pAlDC_DS0Q",
    // Ignore this: built-in mechanism for forms
    "FormFieldName": "__RequestVerificationToken",
    "HeaderName": "X-XSRF-TOKEN",
    "RequestToken": "CfDJ8JPuS3COPd9AmHCMBz_IFVfnP50wBywG2WJmFoYA7nx-VGzBjPRY16-p3BBFRMUGHt4cz-M-VrZ_jX_7vUoIt0OX3xhHNw8swt0CebGa4P41cVej2F_DvvayOvrhbY6s3Z2U1aZWHmAvBT8NlH7ueRE"
}

Note that CookieToken and RequestToken are different.

Cookie Token is handled automatically. But Request Token should be handled by us.

  1. Create a validation middleware:

    public class AntiforgeryMiddleware : IMiddleware
    {
        private readonly IAntiforgery _antiforgery;
    
        public AntiforgeryMiddleware(IAntiforgery antiforgery)
        {
            _antiforgery = antiforgery;
        }
    
        public async Task InvokeAsync(HttpContext context, RequestDelegate next)
        {
            var isGetRequest = string.Equals("GET", context.Request.Method, StringComparison.OrdinalIgnoreCase);
            if (!isGetRequest)
            {
                _antiforgery.ValidateRequestAsync(context).GetAwaiter().GetResult();
            }
    
            await next(context);
        }
    }
    
  2. Configure DI in your Web API application:

    // Startup.cs
    public void ConfigureServices(IServiceCollection services)
    {
        // ...
    
        // Extension method comes from the `Microsoft.AspNetCore.Antiforgery` package
        services.AddAntiforgery(options =>
        {
            options.HeaderName = "X-XSRF-TOKEN";
        });
    
        services.AddScoped<AntiforgeryMiddleware>();
    }
    
  3. Configure a validation middleware:

    // Startup.cs
    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
    {
        // ...
    
        app.UseMiddleware<AntiforgeryMiddleware>();
    
        app.UseEndpoints(endpoints =>
        {
            endpoints.MapControllers();
        });
    }
    
  4. Create a XSRF Token endpoint:

    [Route("api/xsrf-token")]
    [ApiController]
    public class AntiForgeryController : Controller
    {
        private IAntiforgery _antiforgery;
    
        public AntiForgeryController(IAntiforgery antiforgery)
        {
            _antiforgery = antiforgery;
        }
    
        [IgnoreAntiforgeryToken]
        public IActionResult Get()
        {
            // Creates and sets the cookie token in a cookie
            // Cookie name will be like ".AspNetCore.Antiforgery.pG4SaGh5yDI"
            var tokens = _antiforgery.GetAndStoreTokens(HttpContext);
    
            // Take request token (which is different from a cookie token)
            var headerToken = tokens.RequestToken;
            // Set another cookie for a request token
            Response.Cookies.Append("XSRF-TOKEN", headerToken, new CookieOptions
            {
                HttpOnly = false
            });
            return NoContent();
        }
    }
    
  5. On the client make a request to the URL /api/xsrf-token.

    Then read a request token cookie XSRF-TOKEN and set it to a X-XSRF-TOKEN HTTP header for non-GET requests:

    X-XSRF-TOKEN: <request-token>
    
  • Related