Use AntiForgeryToken in swagger.

Resolve #5004

Author: maliming

aspnet-core/src/AbpCompanyName.AbpProjectName.Web.Host/Controllers/HomeController.cs

@@ -4,6 +4,7 @@
 using Abp.Extensions;
 using Abp.Notifications;
 using Abp.Timing;
+using Abp.Web.Security.AntiForgery;
 using AbpCompanyName.AbpProjectName.Controllers;
 
 namespace AbpCompanyName.AbpProjectName.Web.Host.Controllers
@@ -12,13 +13,17 @@ public class HomeController : AbpProjectNameControllerBase
     {
         private readonly INotificationPublisher _notificationPublisher;
 
-        public HomeController(INotificationPublisher notificationPublisher)
+        private readonly IAbpAntiForgeryManager _abpAntiForgeryManager;
+
+        public HomeController(INotificationPublisher notificationPublisher, IAbpAntiForgeryManager abpAntiForgeryManager)
         {
             _notificationPublisher = notificationPublisher;
+            _abpAntiForgeryManager = abpAntiForgeryManager;
         }
 
         public IActionResult Index()
         {
+            _abpAntiForgeryManager.SetCookie(HttpContext);
             return Redirect("/swagger");
         }
 

aspnet-core/src/AbpCompanyName.AbpProjectName.Web.Host/wwwroot/swagger/ui/abp.swagger.js

@@ -26,6 +26,13 @@ var abp = abp || {};
         return true;
     }
 
+    function addAntiForgeryTokenToXhr(xhr) {
+        var antiForgeryToken = abp.security.antiForgery.getToken();
+        if (antiForgeryToken) {
+            xhr.setRequestHeader(abp.security.antiForgery.tokenHeaderName, antiForgeryToken);
+        }
+    }
+
     function loginUserInternal(tenantId, callback) {
         var usernameOrEmailAddress = document.getElementById('userName').value;
         if (!usernameOrEmailAddress) {
@@ -58,6 +65,7 @@ var abp = abp || {};
         xhr.open('POST', '/api/TokenAuth/Authenticate', true);
         xhr.setRequestHeader('Abp.TenantId', tenantId);
         xhr.setRequestHeader('Content-type', 'application/json');
+        addAntiForgeryTokenToXhr(xhr);
         xhr.send("{" + "usernameOrEmailAddress:'" + usernameOrEmailAddress + "'," + "password:'" + password + "'}");
     };
 
@@ -81,6 +89,7 @@ var abp = abp || {};
 
             xhrTenancyName.open('POST', '/api/services/app/Account/IsTenantAvailable', true);
             xhrTenancyName.setRequestHeader('Content-type', 'application/json');
+            addAntiForgeryTokenToXhr(xhrTenancyName);
             xhrTenancyName.send("{" + "tenancyName:'" + tenancyName + "'}");
         } else {
             loginUserInternal(null, callback); // Login for host

aspnet-core/src/AbpCompanyName.AbpProjectName.Web.Host/wwwroot/swagger/ui/index.html

@@ -81,6 +81,10 @@
             configObject.requestInterceptor = function (request) {
                 var token = abp.auth.getToken();
                 request.headers.Authorization = token ? "Bearer " + token : null;
+                var antiForgeryToken = abp.security.antiForgery.getToken();
+                if (antiForgeryToken) {
+                    request.headers[abp.security.antiForgery.tokenHeaderName] = antiForgeryToken;
+                }
                 return request;
             };
             if (!configObject.hasOwnProperty("oauth2RedirectUrl")) {