Add nullability to antiforgery (#22279)

* Add nullability to antiforgery

Addresses #5680

* Rebase

Author: pranavkm

src/Antiforgery/ref/Directory.Build.props

@@ -0,0 +1,7 @@
+<Project>
+  <Import Project="$([MSBuild]::GetDirectoryNameOfFileAbove($(MSBuildThisFileDirectory)..\, Directory.Build.props))\Directory.Build.props" />
+
+  <PropertyGroup>
+    <Nullable>annotations</Nullable>
+  </PropertyGroup>
+</Project>

src/Antiforgery/ref/Microsoft.AspNetCore.Antiforgery.csproj

@@ -2,6 +2,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
   <PropertyGroup>
     <TargetFrameworks>$(DefaultNetCoreTargetFramework)</TargetFrameworks>
+    <Nullable>annotations</Nullable>
   </PropertyGroup>
   <ItemGroup Condition="'$(TargetFramework)' == '$(DefaultNetCoreTargetFramework)'">
     <Compile Include="Microsoft.AspNetCore.Antiforgery.netcoreapp.cs" />

src/Antiforgery/ref/Microsoft.AspNetCore.Antiforgery.netcoreapp.cs

@@ -9,21 +9,21 @@ public partial class AntiforgeryOptions
         public AntiforgeryOptions() { }
         public Microsoft.AspNetCore.Http.CookieBuilder Cookie { get { throw null; } set { } }
         public string FormFieldName { get { throw null; } set { } }
-        public string HeaderName { [System.Runtime.CompilerServices.CompilerGeneratedAttribute] get { throw null; } [System.Runtime.CompilerServices.CompilerGeneratedAttribute] set { } }
+        public string? HeaderName { [System.Runtime.CompilerServices.CompilerGeneratedAttribute] get { throw null; } [System.Runtime.CompilerServices.CompilerGeneratedAttribute] set { } }
         public bool SuppressXFrameOptionsHeader { [System.Runtime.CompilerServices.CompilerGeneratedAttribute] get { throw null; } [System.Runtime.CompilerServices.CompilerGeneratedAttribute] set { } }
     }
     public partial class AntiforgeryTokenSet
     {
-        public AntiforgeryTokenSet(string requestToken, string cookieToken, string formFieldName, string headerName) { }
-        public string CookieToken { [System.Runtime.CompilerServices.CompilerGeneratedAttribute] get { throw null; } }
+        public AntiforgeryTokenSet(string? requestToken, string? cookieToken, string formFieldName, string? headerName) { }
+        public string? CookieToken { [System.Runtime.CompilerServices.CompilerGeneratedAttribute] get { throw null; } }
         public string FormFieldName { [System.Runtime.CompilerServices.CompilerGeneratedAttribute] get { throw null; } }
-        public string HeaderName { [System.Runtime.CompilerServices.CompilerGeneratedAttribute] get { throw null; } }
-        public string RequestToken { [System.Runtime.CompilerServices.CompilerGeneratedAttribute] get { throw null; } }
+        public string? HeaderName { [System.Runtime.CompilerServices.CompilerGeneratedAttribute] get { throw null; } }
+        public string? RequestToken { [System.Runtime.CompilerServices.CompilerGeneratedAttribute] get { throw null; } }
     }
     public partial class AntiforgeryValidationException : System.Exception
     {
         public AntiforgeryValidationException(string message) { }
-        public AntiforgeryValidationException(string message, System.Exception innerException) { }
+        public AntiforgeryValidationException(string message, System.Exception? innerException) { }
     }
     public partial interface IAntiforgery
     {

src/Antiforgery/src/AntiforgeryOptions.cs

@@ -73,7 +73,7 @@ public string FormFieldName
         /// Specifies the name of the header value that is used by the antiforgery system. If <c>null</c> then
         /// antiforgery validation will only consider form data.
         /// </summary>
-        public string HeaderName { get; set; } = AntiforgeryTokenHeaderName;
+        public string? HeaderName { get; set; } = AntiforgeryTokenHeaderName;
 
         /// <summary>
         /// Specifies whether to suppress the generation of X-Frame-Options header

src/Antiforgery/src/AntiforgeryTokenSet.cs

@@ -18,10 +18,10 @@ public class AntiforgeryTokenSet
         /// <param name="formFieldName">The name of the form field used for the request token.</param>
         /// <param name="headerName">The name of the header used for the request token.</param>
         public AntiforgeryTokenSet(
-            string requestToken,
-            string cookieToken,
+            string? requestToken,
+            string? cookieToken,
             string formFieldName,
-            string headerName)
+            string? headerName)
         {
             if (formFieldName == null)
             {
@@ -37,7 +37,7 @@ public AntiforgeryTokenSet(
         /// <summary>
         /// Gets the request token.
         /// </summary>
-        public string RequestToken { get; }
+        public string? RequestToken { get; }
 
         /// <summary>
         /// Gets the name of the form field used for the request token.
@@ -47,11 +47,11 @@ public AntiforgeryTokenSet(
         /// <summary>
         /// Gets the name of the header used for the request token.
         /// </summary>
-        public string HeaderName { get; }
+        public string? HeaderName { get; }
 
         /// <summary>
         /// Gets the cookie token.
         /// </summary>
-        public string CookieToken { get; }
+        public string? CookieToken { get; }
     }
-}
+}

src/Antiforgery/src/AntiforgeryValidationException.cs

@@ -26,7 +26,7 @@ public AntiforgeryValidationException(string message)
         /// </summary>
         /// <param name="message">The message that describes the error.</param>
         /// <param name="innerException">The inner <see cref="Exception"/>.</param>
-        public AntiforgeryValidationException(string message, Exception innerException)
+        public AntiforgeryValidationException(string message, Exception? innerException)
             : base(message, innerException)
         {
         }

src/Antiforgery/src/Internal/AntiforgeryFeature.cs

@@ -10,23 +10,23 @@ internal class AntiforgeryFeature : IAntiforgeryFeature
     {
         public bool HaveDeserializedCookieToken { get; set; }
 
-        public AntiforgeryToken CookieToken { get; set; }
+        public AntiforgeryToken? CookieToken { get; set; }
 
         public bool HaveDeserializedRequestToken { get; set; }
 
-        public AntiforgeryToken RequestToken { get; set; }
+        public AntiforgeryToken? RequestToken { get; set; }
 
         public bool HaveGeneratedNewCookieToken { get; set; }
 
         // After HaveGeneratedNewCookieToken is true, remains null if CookieToken is valid.
-        public AntiforgeryToken NewCookieToken { get; set; }
+        public AntiforgeryToken? NewCookieToken { get; set; }
 
         // After HaveGeneratedNewCookieToken is true, remains null if CookieToken is valid.
-        public string NewCookieTokenString { get; set; }
+        public string? NewCookieTokenString { get; set; }
 
-        public AntiforgeryToken NewRequestToken { get; set; }
+        public AntiforgeryToken? NewRequestToken { get; set; }
 
-        public string NewRequestTokenString { get; set; }
+        public string? NewRequestTokenString { get; set; }
 
         // Always false if NewCookieToken is null. Never store null cookie token or re-store cookie token from request.
         public bool HaveStoredNewCookieToken { get; set; }

src/Antiforgery/src/Internal/AntiforgeryLoggerExtensions.cs

@@ -8,15 +8,15 @@ namespace Microsoft.AspNetCore.Antiforgery
 {
     internal static class AntiforgeryLoggerExtensions
     {
-        private static readonly Action<ILogger, Exception> _failedToDeserialzeTokens;
-        private static readonly Action<ILogger, string, Exception> _validationFailed;
-        private static readonly Action<ILogger, Exception> _validated;
-        private static readonly Action<ILogger, string, Exception> _missingCookieToken;
-        private static readonly Action<ILogger, string, string, Exception> _missingRequestToken;
-        private static readonly Action<ILogger, Exception> _newCookieToken;
-        private static readonly Action<ILogger, Exception> _reusedCookieToken;
-        private static readonly Action<ILogger, Exception> _tokenDeserializeException;
-        private static readonly Action<ILogger, Exception> _responseCacheHeadersOverridenToNoCache;
+        private static readonly Action<ILogger, Exception?> _failedToDeserialzeTokens;
+        private static readonly Action<ILogger, string, Exception?> _validationFailed;
+        private static readonly Action<ILogger, Exception?> _validated;
+        private static readonly Action<ILogger, string?, Exception?> _missingCookieToken;
+        private static readonly Action<ILogger, string, string?, Exception?> _missingRequestToken;
+        private static readonly Action<ILogger, Exception?> _newCookieToken;
+        private static readonly Action<ILogger, Exception?> _reusedCookieToken;
+        private static readonly Action<ILogger, Exception?> _tokenDeserializeException;
+        private static readonly Action<ILogger, Exception?> _responseCacheHeadersOverridenToNoCache;
 
         static AntiforgeryLoggerExtensions()
         {
@@ -28,11 +28,11 @@ static AntiforgeryLoggerExtensions()
                 LogLevel.Debug,
                 new EventId(2, "Validated"),
                 "Antiforgery successfully validated a request.");
-            _missingCookieToken = LoggerMessage.Define<string>(
+            _missingCookieToken = LoggerMessage.Define<string?>(
                 LogLevel.Warning,
                 new EventId(3, "MissingCookieToken"),
                 "The required antiforgery cookie '{CookieName}' is not present.");
-            _missingRequestToken = LoggerMessage.Define<string, string>(
+            _missingRequestToken = LoggerMessage.Define<string, string?>(
                 LogLevel.Warning,
                 new EventId(4, "MissingRequestToken"),
                 "The required antiforgery request token was not provided in either form field '{FormFieldName}' "
@@ -71,12 +71,12 @@ public static void ValidatedAntiforgeryToken(this ILogger logger)
             _validated(logger, null);
         }
 
-        public static void MissingCookieToken(this ILogger logger, string cookieName)
+        public static void MissingCookieToken(this ILogger logger, string? cookieName)
         {
             _missingCookieToken(logger, cookieName, null);
         }
 
-        public static void MissingRequestToken(this ILogger logger, string formFieldName, string headerName)
+        public static void MissingRequestToken(this ILogger logger, string formFieldName, string? headerName)
         {
             _missingRequestToken(logger, formFieldName, headerName, null);
         }

src/Antiforgery/src/Internal/AntiforgerySerializationContext.cs

@@ -23,11 +23,11 @@ internal class AntiforgerySerializationContext
         // Don't let _chars grow beyond 512k characters.
         private const int MaximumCharsLength = 0x80000;
 
-        private char[] _chars;
-        private MemoryStream _stream;
-        private BinaryReader _reader;
-        private BinaryWriter _writer;
-        private SHA256 _sha256;
+        private char[]? _chars;
+        private MemoryStream? _stream;
+        private BinaryReader? _reader;
+        private BinaryWriter? _writer;
+        private SHA256? _sha256;
 
         public MemoryStream Stream
         {
@@ -126,9 +126,9 @@ public void Reset()
             {
                 if (Stream.Capacity > MaximumStreamSize)
                 {
-                    Stream = null;
-                    Reader = null;
-                    Writer = null;
+                    _stream = null;
+                    _reader = null;
+                    _writer = null;
                 }
                 else
                 {

src/Antiforgery/src/Internal/AntiforgeryToken.cs

@@ -10,7 +10,7 @@ internal sealed class AntiforgeryToken
 
         private string _additionalData = string.Empty;
         private string _username = string.Empty;
-        private BinaryBlob _securityToken;
+        private BinaryBlob? _securityToken;
 
         public string AdditionalData
         {
@@ -21,11 +21,11 @@ public string AdditionalData
             }
         }
 
-        public BinaryBlob ClaimUid { get; set; }
+        public BinaryBlob? ClaimUid { get; set; }
 
         public bool IsCookieToken { get; set; }
 
-        public BinaryBlob SecurityToken
+        public BinaryBlob? SecurityToken
         {
             get
             {
@@ -41,7 +41,7 @@ public BinaryBlob SecurityToken
             }
         }
 
-        public string Username
+        public string? Username
         {
             get { return _username; }
             set