Customize antiforgery failure response

iKingNinja 100

I want to customize the response received by the client when CSRF token validation fails. I was looking at ASP.NET Core's source code and found the middleware I think is supposed to handle CSRF token validation.

By looking at it I found that it sets an IAntiForgeryValidationFeature, so I created a custom middleware to check if the feature is set and if it contains an error.

public class CustomAntiForgeryValidationResponseMiddleware(RequestDelegate next)
{
    public async Task InvokeAsync(HttpContext context)
    {
        IAntiforgeryValidationFeature? antiforgeryValidation = context.Features.Get<IAntiforgeryValidationFeature>();
        if (antiforgeryValidation is not null && !antiforgeryValidation.IsValid)
        {
            context.Response.StatusCode = 403;
            await context.Response.WriteAsJsonAsync(new ProblemDetails()
            {
                Title = "Forbidden",
                Detail = "User is not allowed to perform this action",
                Status = 403,
                Extensions = new Dictionary<string, object?>()
                {
                    { "errors", new ApiError[] { new("Invalid or missing CSRF token") } }
                }
            });
        }
        await next(context);
    }
}

I then added it to the request pipeline in Program.cs before app.UseAuthentication():

app.UseMiddleware<CustomAntiForgeryValidationResponseMiddleware>();

app.UseAuthentication();
app.UseAuthorization();

app.MapControllers();

app.Run();

However antiforgeryValidation is always null even when the endpoint requires a CSRF token.

What am I doing wrong?

SurferOnWww 3,286 Reputation points

2024-11-22T01:23:11.2333333+00:00

ASP.NET returns HTTP 400 Bad Request response when CSRF validation fails, as shown below. Browser will show appropriate message accordingly. What else do you need? Do you need to change 400 with 403?
iKingNinja 100 Reputation points

2024-11-22T05:58:59.3833333+00:00

Yes, exactly I don't want the default 400 response. I want a 403 with a custom ProblemDetails body. Anyway I solved the issue by using a custom ValidateAntiforgeryTokenAuthorizationFilter and posted the solution as an answer but for some reason this forum doesn't show it as it often does with my questions (oh actually now it's showing among the answers).
SurferOnWww 3,286 Reputation points

2024-11-22T06:41:22.4133333+00:00

IMO, 403 Forbidden is not appropriate as the result of invalid CSRF token validation since 403 means that a user is authenticated but not authorized.

Client error responses

But maybe you have your reason.
iKingNinja 100 Reputation points

2024-11-22T06:55:18.7533333+00:00

IMO 403 is more appropriate because the server understands the request but refuses to authorize it (https://datatracker.ietf.org/doc/html/rfc7231#section-6.5.3).

While according to RFC 7231 HTTP 400 could be suitable because a request forgery is deceptive, 403 seems to be more appropriate to me and the widely accepted solution.

2 answers

Bruce (SqlWork.com) 67,406 Reputation points

2024-11-21T17:10:04.0966667+00:00

your middleware is checking the results before the antiforgery middleware runs. make it the last middleware, or check after calling Next();
note: I'm not sure controller continue processing the pipeline on an antiforgery validation error. so your middleware may not be called on error. if so, have it first and check after next call.
Please sign in to rate this answer.
iKingNinja 100 Reputation points

2024-11-21T17:17:03.8933333+00:00

I moved app.UseMiddleware<CustomAntiForgeryValidationResponseMiddleware>(); after app.UseAuthorization(); but nothing changed. Also doesn't calling next(); send the request to the next middleware/handler thus ending the current middleware execution?

Bruce (SqlWork.com) 67,406 Reputation points

2024-11-21T17:52:51.3333333+00:00

you can add code after calling next(). this code will then run after other pipeline middleware runs. handle if you want to post process rather than preprocess.

iKingNinja 100 Reputation points

2024-11-21T18:24:38+00:00

public async Task InvokeAsync(HttpContext context) { await next(context); IAntiforgeryValidationFeature? antiforgeryValidation = context.Features.Get<IAntiforgeryValidationFeature>(); if (antiforgeryValidation is not null && !antiforgeryValidation.IsValid) { context.Response.StatusCode = 403; await context.Response.WriteAsJsonAsync(new ProblemDetails() { Title = "Forbidden", Detail = "User is not allowed to perform this action", Status = 403, Extensions = new Dictionary<string, object?>() { { "errors", new ApiError[] { new("Invalid or missing CSRF token") } } } }); } }

It's not making any difference. I'm having a hard time understanding where the antiforgery middleware is placed. When I put a breakpoint on app.Run() and expand app.Middleware i don't see any antiforgery middleware (my custom middleware is present).

Bruce (SqlWork.com) 67,406 Reputation points

2024-11-21T18:57:51.0866667+00:00

the antiforgery middleware is an injected service called by other middleware. you can manually add to the pipeline via:

.UseAntiforgery()

iKingNinja 100 Reputation points

2024-11-21T18:59:35.1766667+00:00

I did that but while after calling next(context) i can see the response generated by antiforgery, the IAntiforgeryValidationFeature is not added.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
iKingNinja 100 Reputation points

2024-11-21T21:39:46.24+00:00

Turns out the AntiforgeryMiddleware is not being invoked at all (probably because I am not using minimal APIs but rather MVC). I managed to fix this by creating a custom attribute and filter as the framework does and then globally registering the attribute.

AutoValidateAntiforgeryTokenAttribute.cs

AutoValidateAntiforgeryTokenAuthorizationFilter.cs
Please sign in to rate this answer.
Bruce (SqlWork.com) 67,406 Reputation points

2024-11-22T02:58:02.89+00:00

for MVC you need to add the validation attribute to the action, and add the token in the form:

https://learn.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-8.0

note: it not clear why you want to return json from a form post. if it is an AJAX POST, then you will need to include the cookie for antiforgery to work.

iKingNinja 100 Reputation points

2024-11-22T18:19:03.9866667+00:00

Globally adding a AutoValidateAntiforgeryTokenAttribute as a filter in AddControllersWithViews() would return the default BadRequestResult.

I want to return JSON because it's not a form post, it's a web API.

Bruce (SqlWork.com) 67,406 Reputation points

2024-11-22T22:04:37.48+00:00

normally you would not use antiforgery with webapi. as it requires a form get to get the cookie and hidden field value (which would need to be parsed from the get response html), before calling form post.

iKingNinja 100 Reputation points

2024-11-23T00:08:19.03+00:00

A malicious website can exploit an API which doesn't enforce antiforgery and my API uses cookie authentication. Otherwise I misunderstood what you meant.

Bruce (SqlWork.com) 67,406 Reputation points

2024-11-23T01:03:13.2966667+00:00

if its javascript on the page making call, then you should be ok. you will need to add the cookie to the javascript call.

iKingNinja 100 Reputation points

2024-11-23T09:32:30.4633333+00:00

What I meant is that an API endpoint accepting unsafe methods can be exploited by a form setting the action attribute to it as it uses a SameSite=Lax cookie for authentication.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Customize antiforgery failure response

2 answers

Your answer