Angular2 ASP.NET Core防伪令牌

本文介绍了Angular2 ASP.NET Core防伪令牌的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

我有一个 Angular2 应用.它在 ASP.NET 5(核心)中运行. 它将Http调用到正常工作的控制器.

但是现在我需要建立跨站点脚本投影.

如何在每个Http请求上生成一个新令牌，然后在Angular2应用中执行AntiForgeryToken检查?

注意:我在Angular中的数据表单不是从MVC视图生成的，而是完全用Angular2编写的，并且仅调用Web服务.

我所看到的所有示例都已过时，无法使用/无法完全使用.

如何在表单为纯Angular的ASP.NET 5中针对 Angular2 集成AntiForgeryToken检查?

谢谢.

解决方案

自定义操作过滤器不是必需的.都可以在Startup.cs中将其连接起来.

using Microsoft.AspNetCore.Antiforgery; (...) public void ConfigureServices(IServiceCollection services) { services.AddAntiforgery(options => options.HeaderName = "X-XSRF-TOKEN"); (...) } public void Configure(IApplicationBuilder app, IAntiforgery antiforgery) { app.Use(next => context => { if (context.Request.Path == "/") { //send the request token as a JavaScript-readable cookie, and Angular will use it by default var tokens = antiforgery.GetAndStoreTokens(context); context.Response.Cookies.Append("XSRF-TOKEN", tokens.RequestToken, new CookieOptions { HttpOnly = false }); } return next(context); }); (...) }

然后，您需要在控制器中使用的任何地方都需要[ValidateAntiForgeryToken]装饰器，以强制提供令牌.

作为参考，我在这里找到了此解决方案- AspNet反伪造Github第29期./p>

I have an Angular2 app. It is running within ASP.NET 5 (Core). It makes Http calls to the controller which is working fine.

But now I need to establish Cross Site Scripting projection.

How do I generate a new token on each Http request and then subsequently perform the AntiForgeryToken check in Angular2 apps?

Note: My data forms in Angular are not produced from an MVC view but entirely written in Angular2 and call web services only.

All the examples I have seen are out dated and do not work / do not work fully.

How do I integrate AntiForgeryToken checks in Angular2 against ASP.NET 5 where forms are pure Angular?

Thanks.

解决方案

A custom action filter is not necessary. It can all be wired up in Startup.cs.

using Microsoft.AspNetCore.Antiforgery; (...) public void ConfigureServices(IServiceCollection services) { services.AddAntiforgery(options => options.HeaderName = "X-XSRF-TOKEN"); (...) } public void Configure(IApplicationBuilder app, IAntiforgery antiforgery) { app.Use(next => context => { if (context.Request.Path == "/") { //send the request token as a JavaScript-readable cookie, and Angular will use it by default var tokens = antiforgery.GetAndStoreTokens(context); context.Response.Cookies.Append("XSRF-TOKEN", tokens.RequestToken, new CookieOptions { HttpOnly = false }); } return next(context); }); (...) }

Then all you need in your controllers is the [ValidateAntiForgeryToken] decorator wherever you want to enforce that a token is provided.

For reference, I found this solution here - AspNet AntiForgery Github Issue 29.