How to call server api decorated with ValidateAntiForgeryToken using Httpclientfactory Typed clients?

Question

I am trying to incorporate a Edit Form page using GetAsync and PostAsync using typed httpclient. Everything works except my code doesn't call API actions with ValidateAntiForgeryToken. Most of the examples online do not address httpcontent used by httpclientfactory and instead use httpresponse. I am aware that the antiforgery token is missing on my request. How do I attach it to the request header? How do I retrieve it from the view? I want to use as less Javascript as possible. Here's a snippet of my Post request service. Edit: For what it's worth, my api is dot net core and client is dot net core mvc.

var response = await _httpclient.PostAsync("api/edit/" + id, httpcontent);
response.EnsureSuccessStatusCode(); ```

Are you getting an actual error? Can you elaborate a little bit more about the response by the server? — Luis Deras, Oct 28 '21 at 15:34

score 0 · Answer 1 · answered Oct 28 '21 at 08:43

In the MVC Edit view page, it will use a hidden file (named __RequestVerificationToken) to store the ValidateAntiForgeryToken, you can use F12 developer tools to check it.

<input name="__RequestVerificationToken" type="hidden" value="CfDJ8NrAkS ... s2-m9Yw">

After modifying the data, you could use JQuery to get the updated data, then use JQuery ajax to call the API method with the ValidateAntiForgeryToken. You can refer the sample code in my reply:

if we customize antiforgery options in Startup.ConfigureServices, such as: custom the Header Name for the RequestVerificationToken.

services.AddAntiforgery(o => o.HeaderName = "XSRF-TOKEN");  //configure the antiforgery service to look for the X-CSRF-TOKEN header. To prevent the cross-site request forgery.

Then, we could use the following script:

        $.ajax({
            type: "POST",
            url: "/Survey/Create",
            beforeSend: function (xhr) {
                xhr.setRequestHeader("XSRF-TOKEN",
                    $('input:hidden[name="__RequestVerificationToken"]').val());
            },
            data: { "CategoryName": $("#CategoryName").val(), "CategoryID": $("#CategoryID").val() },
            success: function (response) {
                alert(response);
            },
            failure: function (response) {
                alert(response.responseText);
            },
            error: function (response) {
                alert(response.responseText);
            }
        });

Besides, you can also refer Prevent Cross-Site Request Forgery (XSRF/CSRF) attacks in ASP.NET Core.

How to call server api decorated with ValidateAntiForgeryToken using Httpclientfactory Typed clients?

1 Answers1