From 7e817a5808436b574f7f744ba82e8a35efc11df1 Mon Sep 17 00:00:00 2001
From: sbwalker <shaun.walker@siliqon.com>
Date: Wed, 31 Jan 2024 07:33:52 -0500
Subject: [PATCH] resolve antiforgery issue

---
 Oqtane.Server/Components/App.razor                          | 6 +++++-
 .../Security/AutoValidateAntiforgeryTokenFilter.cs          | 2 --
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/Oqtane.Server/Components/App.razor b/Oqtane.Server/Components/App.razor
index 0d0f69e3..e41c5d2e 100644
--- a/Oqtane.Server/Components/App.razor
+++ b/Oqtane.Server/Components/App.razor
@@ -1,6 +1,7 @@
 @namespace Oqtane.Components
 @using Microsoft.AspNetCore.Http
 @using Microsoft.AspNetCore.Http.Extensions
+@using Microsoft.AspNetCore.Antiforgery
 @using Oqtane.Client
 @using Oqtane.Client.Utilities
 @using Oqtane.Repository
@@ -11,6 +12,7 @@
 @using Oqtane.Themes
 @using System.Net
 @using Microsoft.AspNetCore.Localization
+@inject IAntiforgery Antiforgery;
 @inject IConfigManager ConfigManager;
 @inject ITenantManager TenantManager;
 @inject ILocalizationManager LocalizationManager;
@@ -42,7 +44,7 @@
 <body>
     @if (string.IsNullOrEmpty(_message))
     {
-        <Routes AntiForgeryToken="" Runtime="Server" RenderMode="PreRendered" VisitorId="-1" RemoteIPAddress="@_remoteIPAddress" AuthorizationToken="" @rendermode="@RenderModes.GetRenderMode(_interactiveRenderMode)" />
+        <Routes AntiForgeryToken="@_antiForgeryToken" Runtime="Server" RenderMode="PreRendered" VisitorId="-1" RemoteIPAddress="@_remoteIPAddress" AuthorizationToken="" @rendermode="@RenderModes.GetRenderMode(_interactiveRenderMode)" />
 
         <script src="js/interop.js"></script>
         <script src="_framework/blazor.web.js"></script>
@@ -67,6 +69,7 @@
 @code {
     private string _interactiveRenderMode = "InteractiveServer";
     private string _language = "en";
+    private string _antiForgeryToken = "";
     private string _remoteIPAddress = "";
     private string _headResources = "";
     private string _bodyResources = "";
@@ -81,6 +84,7 @@
 
     protected override void OnInitialized()
     {
+        _antiForgeryToken = Antiforgery.GetAndStoreTokens(Context).RequestToken;
         _remoteIPAddress = Context.Connection.RemoteIpAddress?.ToString() ?? "";
 
         // if framework is installed
diff --git a/Oqtane.Server/Security/AutoValidateAntiforgeryTokenFilter.cs b/Oqtane.Server/Security/AutoValidateAntiforgeryTokenFilter.cs
index 2740ed33..f6fb29cf 100644
--- a/Oqtane.Server/Security/AutoValidateAntiforgeryTokenFilter.cs
+++ b/Oqtane.Server/Security/AutoValidateAntiforgeryTokenFilter.cs
@@ -50,8 +50,6 @@ namespace Oqtane.Security
 
         protected virtual bool ShouldValidate(AuthorizationFilterContext context)
         {
-            return false;
-
             // ignore antiforgery validation if a bearer token was provided
             if (context.HttpContext.Request.Headers.ContainsKey("Authorization"))
             {