Add Cookie-to-header AntiForgery token validation.

Author: claudiamurialdo

dotnet/src/dotnetcore/GxNetCoreStartup/GxNetCoreStartup.csproj

@@ -10,6 +10,7 @@
 	</PropertyGroup>
 
 	<ItemGroup>
+		<PackageReference Include="Microsoft.AspNet.WebPages" Version="3.2.9" />
 		<PackageReference Include="Microsoft.AspNetCore.DataProtection.StackExchangeRedis" Version="3.1.7" />
 		<PackageReference Include="Microsoft.AspNetCore.Rewrite" Version="2.2.0" />
 		<PackageReference Include="Microsoft.Data.SqlClient" Version="1.1.4" />

dotnet/src/dotnetcore/GxNetCoreStartup/Startup.cs

@@ -1,3 +1,5 @@
+
+
 using System;
 using System.Collections.Generic;
 using System.IO;
@@ -12,6 +14,7 @@
 using GxClasses.Web.Middleware;
 using log4net;
 using Microsoft.AspNetCore;
+using Microsoft.AspNetCore.Antiforgery;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.DataProtection;
 using Microsoft.AspNetCore.Diagnostics;
@@ -104,6 +107,10 @@ private static void LocatePhysicalLocalPath()
 
 	public static class GXHandlerExtensions
 	{
+		public static IApplicationBuilder UseAntiforgeryTokens(this IApplicationBuilder app, string basePath)
+		{
+			return app.UseMiddleware<ValidateAntiForgeryTokenMiddleware>(basePath);
+		}
 		public static IApplicationBuilder UseGXHandlerFactory(this IApplicationBuilder builder, string basePath)
 		{
 			return builder.UseMiddleware<HandlerFactory>(basePath);
@@ -223,6 +230,13 @@ public void ConfigureServices(IServiceCollection services)
 					options.EnableForHttps = true;
 				});
 			}
+			if (RestAPIHelpers.ValidateCsrfToken())
+			{
+				services.AddAntiforgery(options =>
+				{
+					options.HeaderName = HttpHeader.X_GXCSRF_TOKEN;
+				});
+			}
 			DefineCorsPolicy(services);
 			services.AddMvc();
 		}
@@ -386,6 +400,24 @@ public void Configure(IApplicationBuilder app, Microsoft.AspNetCore.Hosting.IHos
 
 			string restBasePath = string.IsNullOrEmpty(VirtualPath) ? REST_BASE_URL : $"{VirtualPath}/{REST_BASE_URL}";
 			string apiBasePath = string.IsNullOrEmpty(VirtualPath) ? string.Empty : $"{VirtualPath}/";
+			if (RestAPIHelpers.ValidateCsrfToken())
+			{
+
+				var antiforgery = app.ApplicationServices.GetRequiredService<IAntiforgery>();
+				app.UseAntiforgeryTokens(restBasePath);
+				app.Run(async context =>
+				{
+					string requestPath = context.Request.Path.Value;
+
+					if (string.Equals(requestPath, $"/{restBasePath}VerificationToken", StringComparison.OrdinalIgnoreCase))
+					{
+						var tokenSet = antiforgery.GetAndStoreTokens(context);
+						context.Response.Cookies.Append(HttpHeader.X_GXCSRF_TOKEN, tokenSet.RequestToken!,
+							new CookieOptions { HttpOnly = false });
+					}
+					await Task.CompletedTask;
+				});
+			}
 			app.UseMvc(routes =>
 			{
 				foreach (string serviceBasePath in servicesBase)
@@ -485,6 +517,13 @@ public async Task Invoke(HttpContext httpContext)
 				{
 					httpStatusCode = HttpStatusCode.NotFound;
 				}
+
+				else if (ex is AntiforgeryValidationException)
+				{
+					//"The required antiforgery header value "X-GXCSRF-TOKEN" is not present.
+					httpStatusCode = HttpStatusCode.BadRequest;
+					GXLogging.Error(log, $"Validation of antiforgery failed", ex);
+				}
 				else
 				{
 					httpStatusCode = HttpStatusCode.InternalServerError;
@@ -542,4 +581,43 @@ public IActionResult Index()
 			return Redirect(defaultFiles[0]);
 		}
 	}
+	public class ValidateAntiForgeryTokenMiddleware
+	{
+		static readonly ILog log = log4net.LogManager.GetLogger(typeof(ValidateAntiForgeryTokenMiddleware));
+
+		private readonly RequestDelegate _next;
+		private readonly IAntiforgery _antiforgery;
+		private string _basePath;
+
+		public ValidateAntiForgeryTokenMiddleware(RequestDelegate next, IAntiforgery antiforgery, String basePath)
+		{
+			_next = next;
+			_antiforgery = antiforgery;
+			_basePath = "/" + basePath;
+		}
+
+		public async Task Invoke(HttpContext context)
+		{
+			if (context.Request.Path.HasValue && context.Request.Path.Value.StartsWith(_basePath) && HttpMethods.IsPost(context.Request.Method))
+			{
+				GXLogging.Debug(log, $"Antiforgery validation starts");
+				await _antiforgery.ValidateRequestAsync(context);
+				GXLogging.Debug(log, $"Antiforgery validation OK");
+			}
+			else if (HttpMethods.IsGet(context.Request.Method))
+			{
+				string tokens = context.Request.Cookies[HttpHeader.X_GXCSRF_TOKEN];
+				if (string.IsNullOrEmpty(tokens))
+				{
+					GXLogging.Debug(log, $"Setting cookie ", HttpHeader.X_GXCSRF_TOKEN);
+					var tokenSet = _antiforgery.GetAndStoreTokens(context);
+					context.Response.Cookies.Append(HttpHeader.X_GXCSRF_TOKEN, tokenSet.RequestToken!,
+							new CookieOptions { HttpOnly = false });
+				}
+			}
+
+			await _next(context);
+		}
+		
+	}
 }

dotnet/src/dotnetframework/GxClasses/Services/GXRestServices.cs

@@ -451,7 +451,7 @@ private bool IsAuthenticated(GAMSecurityLevel objIntegratedSecurityLevel, bool o
 				{
 
 					string CSRFToken;
-					bool validateCSRFToken = RestAPIHelpers.ValidateCsrfToken(); ;
+					bool validateCSRFToken = false;//RestAPIHelpers.ValidateCsrfToken(); ;
 					if (objIntegratedSecurityLevel == GAMSecurityLevel.SecurityLow)
 					{
 						bool isOK;

dotnet/src/dotnetframework/GxClasses/Services/GxRestWrapper.cs

@@ -568,7 +568,7 @@ protected bool IsAuthenticated(GAMSecurityLevel objIntegratedSecurityLevel, bool
 				else
 				{
 					string CSRFToken;
-					bool validateCSRFToken = RestAPIHelpers.ValidateCsrfToken();
+					bool validateCSRFToken = false;// RestAPIHelpers.ValidateCsrfToken();
 					if (objIntegratedSecurityLevel == GAMSecurityLevel.SecurityLow)
 					{
 						bool isOK;