fix antiforgery

leungkimming1 · leungkimming1 · commit 22b4c6652dc0 · 2022-05-19T23:51:02.000+08:00
diff --git a/API/Controllers/LoginController.cs b/API/Controllers/LoginController.cs
@@ -28,28 +28,36 @@ public LoginController(IConfiguration config,
     public async Task<IActionResult> Get() {
         JwtSecurityToken jwtToken;
         string token;
+        AuthResult authResult;
 
-        if (HttpContext.User.Identity.Name == "" || HttpContext.User.Identity.Name == null) {
+        if (HttpContext.User.Identity!.Name == "" || HttpContext.User.Identity.Name == null) {
             throw new InvalidUserException();
         }
 
         if (jwtUtil.ValidateToken(HttpContext.Request, out jwtToken, out token)) {
-            return Ok(new AuthResult() {
+            if (HttpContext.User.Identity.Name == jwtToken.Claims
+                .Where(c => c.Type == ClaimTypes.Name)
+                .Select(c => c.Value).SingleOrDefault()) {
+                Array.ForEach(jwtToken.Claims.Where(c => c.Type == ClaimTypes.Role)
+                    .ToArray(), c => ((ClaimsIdentity)HttpContext.User.Identity).AddClaim(c));
+            }
+            authResult = new AuthResult() {
                 Token = token,
                 Success = true,
                 RefreshToken = ""
-            });
+            };
+        } else {
+            List<Claim>? claims = _service.GetUserClaims(HttpContext.User.Identity.Name);
+
+            ClaimsIdentity claimsIdentity = (ClaimsIdentity)HttpContext.User.Identity;
+            Array.ForEach(claims.Where(c => c.Type == ClaimTypes.Role).ToArray(),
+                c => claimsIdentity.AddClaim(c));
+            authResult = jwtUtil.GenerateJwtToken(HttpContext.User.Identity.Name, claims);
         }
 
-        List<Claim>? claims = _service.GetUserClaims(HttpContext.User.Identity.Name);
-
-        ClaimsIdentity claimsIdentity = (ClaimsIdentity)HttpContext.User.Identity;
-        Array.ForEach(claims.Where(c => c.Type == ClaimTypes.Role).ToArray(),
-            c => claimsIdentity.AddClaim(c));
-
         AntiforgeryTokenSet? tokens = antiforgery.GetAndStoreTokens(HttpContext);
-        HttpContext.Response.Cookies.Append("XSRF-TOKEN", tokens.RequestToken, new CookieOptions() { HttpOnly = false });
+        HttpContext.Response.Cookies.Append("XSRF-TOKEN", tokens.RequestToken!, new CookieOptions() { HttpOnly = false });
 
-        return Ok(jwtUtil.GenerateJwtToken(HttpContext.User.Identity.Name, claims));
+        return Ok(authResult);
     }
 }
diff --git a/API/Controllers/SystemParameters/SystemParametersController.cs b/API/Controllers/SystemParameters/SystemParametersController.cs
@@ -7,6 +7,7 @@
 namespace API {
     [ApiController]
     [Route("systemparameters")]
+    [AutoValidateAntiforgeryToken]
     public class SystemParametersController : ControllerBase {
         private readonly SystemParametersService _service;
         private readonly ILogger<UserController> _logger;
@@ -27,7 +28,6 @@ public async Task<IActionResult> SearchAll([FromBody]SystemParametersSearchReque
         [HttpPost]
         [Route("addsystemparameter")]
         [AccessCodeAuthorize("SP02")]
-        [ValidateAntiForgeryToken]
         public async Task<IActionResult> AddSystemParameter([FromBody]AddSystemParameterRequest request) {
             AddDataResponse response;
             request.Refresh(HttpContext.User.Identity.Name,DateTime.Now);
@@ -37,7 +37,6 @@ public async Task<IActionResult> AddSystemParameter([FromBody]AddSystemParameter
         [HttpPost]
         [Route("editsystemparameter")]
         [AccessCodeAuthorize("SP03")]
-        [ValidateAntiForgeryToken]
         public async Task<IActionResult> EditSystemParameter([FromBody] EditSystemParameterRequest request) {
             EditDataResponse response;
             request.Refresh(HttpContext.User.Identity.Name, DateTime.Now);
@@ -47,7 +46,6 @@ public async Task<IActionResult> EditSystemParameter([FromBody] EditSystemParame
         [HttpGet]
         [Route("deletesystemparameter")]
         [AccessCodeAuthorize("SP04")]
-        [ValidateAntiForgeryToken]
         public async Task<IActionResult> DeleteSystemParameter([FromQuery] DeleteSystemParameterRequest request) {
             EditDataResponse response;
             response = await _service.DeleteSystemParameterAsync(request);
diff --git a/API/Controllers/UserController.cs b/API/Controllers/UserController.cs
@@ -8,6 +8,7 @@
 namespace API {
     [ApiController]
     [Route("users")]
+    [AutoValidateAntiforgeryToken]
     public class UserController : ControllerBase {
         private readonly UserService _service;
         private readonly ILogger<UserController> _logger;
@@ -40,7 +41,6 @@ public async Task<IActionResult> Get([FromBody] GetUserRequest request) {
 
         [HttpPost(Name = "AddNewUser")]
         [AccessCodeAuthorize("AB01")]
-        [ValidateAntiForgeryToken]
         public async Task<IActionResult> Add([FromBody] AddUserRequest request) {
             AddUserResponse response;
             request.Refresh(HttpContext.User.Identity.Name, DateTime.Now);
@@ -50,7 +50,6 @@ public async Task<IActionResult> Add([FromBody] AddUserRequest request) {
 
         [HttpPost("Addpayslip")]
         [AccessCodeAuthorize("AC01")]
-        [ValidateAntiForgeryToken]
         public async Task<IActionResult> AddPayslip([FromBody] AddPayslipRequest request) {
             AddPayslipResponse _response;
             request.Refresh(HttpContext.User.Identity.Name, DateTime.Now);
diff --git a/Client/wwwroot/index.html b/Client/wwwroot/index.html
@@ -25,15 +25,17 @@
     </div>
     <script src="_framework/blazor.webassembly.js"></script>
     <script>
-        function getCookie(cname) {
-            var decodedCookie = decodeURIComponent(document.cookie);
-            var ca = decodedCookie.split(';');
-            for (var i = 0; i < ca.length; i++) {
-                var arr = ca[i].split('=');
-                if (arr[0] == cname)
-                    return arr[1]
+        function getCookie(name) {
+            if (!document.cookie) {
+                return null;
             }
-            return "";
+            const xsrfCookies = document.cookie.split(';')
+                .map(c => c.trim())
+                .filter(c => c.startsWith(name + '='));
+            if (xsrfCookies.length === 0) {
+                return null;
+            }
+            return decodeURIComponent(xsrfCookies[0].split('=')[1]);
         }
     </script>
     <script src="_content/telerik.reportviewer.blazor/interop.js" defer></script>
