UpendoVentures/generator-upendodnn

Missing Request AntiForgery Token

Closed this issue · 0 comments

BillyShelton commented

Sponsorship

If this request requires additional support (e.g., such as direct email/phone/meeting/development), I have the following interest in helping to sponsor the effort via GitHub Sponsors:

  • None, please continue to work for me for free :P
  • Absolutely, I get value out of this!
  • Maybe later
  • I'm already a sponsor... Woot!

Describe the bug

The Request AntiForgery Token is not available when making an API call to a controller from the SPA. Apparently, DNN only outputs the Token for Admins or if the search box is present in the skin. For a non-Admin user on a page without a search box, the Token isn't present and thus any AJAX calls to a controller that uses [ValidateAntiForgeryToken] will fail as 404 - unauthorized.
Note: I only tested this with the Vue 3 Template, but I assume it would be an issue on other templates as well.

Software Versions

  • DNN: 09.13.02
  • Vue 3 Generator Template

To Reproduce

Steps to reproduce the behavior:

  1. Generate a Vue 3 module using the generator.
  2. Place it on a page with a skin that doesn't have a search box.
  3. Access the page when not logged in.
  4. Attempt to access an API call that has the [ValidateAntiForgeryToken] attribute.
  5. DevTools shows no RequestVerificationToken is present.

Expected behavior

The Token should be present client side and sent with the API call.

Actual behavior

The Token is not available client side.

Solution

The solution is to force DNN To create the Token. I have only tested this for the Vue 3 template, but adding
data-anti-forgery-token="[AntiForgeryToken:true]" to the app div solves the issue. So for the Vue 3 template, the view.html file in the root folder of the module can be modified to:

<div id="Items-[ModuleContext:ModuleId]">
    <div id="app-[ModuleContext:ModuleId]"
         class="appModule"
         data-moduleid="[ModuleContext:ModuleId]"
         data-tabid="[ModuleContext:TabId]"
         data-editmode="[ModuleContext:EditMode]"
         data-anti-forgery-token="[AntiForgeryToken:true]" 
         data-apibaseurl=""></div>
</div>

Additional context

see discussion https://stackoverflow.com/questions/53206077/dnn-spa-module-with-webapi-works-for-administrators-but-not-for-registered-users