kocoded/oqtane.framework
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix #2172 - File Upload issue caused by JS Interop not passing AntiForgery token in POST methid

Browse Source
This commit is contained in:
Shaun Walker 2022-05-04 17:14:45 -04:00
parent 577528fa0a
commit d3c40a7e8b
4 changed files with 9 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Oqtane.Client/Services/FileService.cs
View File

@ -14,10 +14,12 @@ namespace Oqtane.Services
[PrivateApi("Don't show in the documentation, as everything should use the Interface")] [PrivateApi("Don't show in the documentation, as everything should use the Interface")]
public class FileService : ServiceBase, IFileService public class FileService : ServiceBase, IFileService
{ {
private readonly SiteState _siteState;
private readonly IJSRuntime _jsRuntime; private readonly IJSRuntime _jsRuntime;
public FileService(HttpClient http, SiteState siteState, IJSRuntime jsRuntime) : base(http, siteState) public FileService(HttpClient http, SiteState siteState, IJSRuntime jsRuntime) : base(http, siteState)
{ {
_siteState = siteState;
_jsRuntime = jsRuntime; _jsRuntime = jsRuntime;
} }
@ -80,7 +82,7 @@ namespace Oqtane.Services
string result = ""; string result = "";
var interop = new Interop(_jsRuntime); var interop = new Interop(_jsRuntime);
await interop.UploadFiles($"{Apiurl}/upload", folder, id); await interop.UploadFiles($"{Apiurl}/upload", folder, id, _siteState.AntiForgeryToken);
// uploading files is asynchronous so we need to wait for the upload to complete // uploading files is asynchronous so we need to wait for the upload to complete
bool success = false; bool success = false;

4
Oqtane.Client/UI/Interop.cs
View File

@ -189,13 +189,13 @@ namespace Oqtane.UI
} }
} }
public Task UploadFiles(string posturl, string folder, string id) public Task UploadFiles(string posturl, string folder, string id, string antiforgerytoken)
{ {
try try
{ {
_jsRuntime.InvokeVoidAsync( _jsRuntime.InvokeVoidAsync(
"Oqtane.Interop.uploadFiles", "Oqtane.Interop.uploadFiles",
posturl, folder, id); posturl, folder, id, antiforgerytoken);
return Task.CompletedTask; return Task.CompletedTask;
} }
catch catch

2
Oqtane.Server/Security/AutoValidateAntiforgeryTokenFilter.cs
View File

@ -1,4 +1,5 @@
using System; using System;
using System.Diagnostics;
using System.Threading.Tasks; using System.Threading.Tasks;
using Microsoft.AspNetCore.Antiforgery; using Microsoft.AspNetCore.Antiforgery;
using Microsoft.AspNetCore.Http; using Microsoft.AspNetCore.Http;
@ -38,6 +39,7 @@ namespace Oqtane.Security
catch catch
{ {
context.Result = new AntiforgeryValidationFailedResult(); context.Result = new AntiforgeryValidationFailedResult();
Debug.WriteLine($"Oqtane Error: AutoValidateAntiforgeryTokenFilter Failure on {context.HttpContext.Request.Path}");
} }
} }
} }

3
Oqtane.Server/wwwroot/js/interop.js
View File

@ -294,7 +294,7 @@ Oqtane.Interop = {
} }
return files; return files;
}, },
uploadFiles: function (posturl, folder, id) { uploadFiles: function (posturl, folder, id, antiforgerytoken) {
var fileinput = document.getElementById(id + 'FileInput'); var fileinput = document.getElementById(id + 'FileInput');
var files = fileinput.files; var files = fileinput.files;
var progressinfo = document.getElementById(id + 'ProgressInfo'); var progressinfo = document.getElementById(id + 'ProgressInfo');
@ -326,6 +326,7 @@ Oqtane.Interop = {
var FileName = file.name + ".part_" + PartCount.toString().padStart(3, '0') + "_" + TotalParts.toString().padStart(3, '0'); var FileName = file.name + ".part_" + PartCount.toString().padStart(3, '0') + "_" + TotalParts.toString().padStart(3, '0');
var data = new FormData(); var data = new FormData();
data.append('__RequestVerificationToken', antiforgerytoken);
data.append('folder', folder); data.append('folder', folder);
data.append('formfile', Chunk, FileName); data.append('formfile', Chunk, FileName);
var request = new XMLHttpRequest(); var request = new XMLHttpRequest();