Merge pull request #35 from episerver/bugfix/MAR-1630-missing-antifor…

…gery-token-on-setting-page Add antiforgery token to verify Save setting api
episerver · Jul 25, 2023 · 1eae972 · 1eae972
2 parents 65c0f9d + cb2ac9e
commit 1eae972
Show file tree

Hide file tree

Showing 5 changed files with 46 additions and 8 deletions.
diff --git a/samples/QuickSilver/DependencyVersions.props b/samples/QuickSilver/DependencyVersions.props
@@ -1,8 +1,7 @@
 <Project>
+  <Import Project="../../build/DependencyVersions.props" />
   <PropertyGroup>
     <DependencyVersions_props>true</DependencyVersions_props>
-    <CmsCoreVersionCommon>12.4.0</CmsCoreVersionCommon>
-    <CmsUiVersionCommon>12.4.0</CmsUiVersionCommon>
     <EPiServerAzureVersion>11.0.1</EPiServerAzureVersion>
     <EPiServerTrackingCoreVersion>2.0.1</EPiServerTrackingCoreVersion>
     <EPiServerPersonalizationCommonVersion>4.0.2</EPiServerPersonalizationCommonVersion>

diff --git a/src/EPiServer.Marketing.Testing.Web/ClientResources/Config/src/index.tsx b/src/EPiServer.Marketing.Testing.Web/ClientResources/Config/src/index.tsx
@@ -1,5 +1,18 @@
 import React from "react";
 import ReactDOM from "react-dom";
 import App from "./App";
+import axios from "axios";
+
+const root = document.getElementById("root") as HTMLElement;
+const antiforgeryHeaderName: string = root.dataset.epiAntiforgeryHeaderName as string;
+const antiforgeryFormFieldName: string = root.dataset.epiAntiforgeryFormFieldName as string;
+const xsrfToken = document.getElementsByName(
+    antiforgeryFormFieldName
+)[0] as HTMLInputElement;
+const xsrfHeader = {
+    ...axios.defaults.headers,
+    [antiforgeryHeaderName]: xsrfToken.value,
+};
+axios.defaults.headers = xsrfHeader;
 
 ReactDOM.render(<App />, document.getElementById("root"));
diff --git a/src/EPiServer.Marketing.Testing.Web/Controllers/SettingController.cs b/src/EPiServer.Marketing.Testing.Web/Controllers/SettingController.cs
@@ -1,28 +1,38 @@
 using EPiServer.Framework.Localization;
 using EPiServer.Logging;
 using EPiServer.Marketing.Testing.Web.Config;
+using EPiServer.Marketing.Testing.Web.Models;
 using EPiServer.Marketing.Testing.Web.Models.Settings;
 using EPiServer.Shell.Web.Mvc;
+using Microsoft.AspNetCore.Antiforgery;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
-using System;
+using Microsoft.Extensions.Options;
 using System.Collections.Generic;
-using System.Linq;
-using System.Text.RegularExpressions;
 
 namespace EPiServer.Marketing.Testing.Web.Controllers
 {
     [Authorize(Roles = "Administrators, CmsAdmins")]
     public class SettingController : Controller
     {
         private readonly ILogger _logger;
-        public SettingController()
+        private readonly AntiforgeryOptions _antiforgeryOptions;
+        public SettingController(IOptions<AntiforgeryOptions> antiforgeryOptions)
         {
             _logger = LogManager.GetLogger();
+            _antiforgeryOptions = antiforgeryOptions.Value;
         }
 
         [HttpGet]
-        public ActionResult Index() => View();
+        public ActionResult Index() 
+        {
+            var viewModel = new DefaultViewModel
+            {
+                AntiforgeryOptions = _antiforgeryOptions
+            };
+
+            return View(viewModel);
+        }
 
         [HttpGet]
         public IActionResult Get()
@@ -55,6 +65,7 @@ public IActionResult Get()
         }
 
         [HttpPost]
+        [ValidateAntiForgeryReleaseToken]
         public IActionResult Save([FromBody] SettingsRequest request)
         {
             if (request.ParticipationPercent < 1 || request.ParticipationPercent > 100)

diff --git a/...Server.Marketing.Testing.Web/EPiServer.Marketing.Testing.Views/Views/Setting/Index.cshtml b/...Server.Marketing.Testing.Web/EPiServer.Marketing.Testing.Views/Views/Setting/Index.cshtml
@@ -1,3 +1,4 @@
+@model EPiServer.Marketing.Testing.Web.Models.DefaultViewModel
 @using EPiServer.Framework.Web.Resources
 @using EPiServer.Shell.Navigation
 
@@ -26,9 +27,14 @@
     </style>
 </head>
 <body>
+    @Html.AntiForgeryToken()
     @Html.Raw(Html.CreatePlatformNavigationMenu())
     <noscript>You need to enable JavaScript to run this app.</noscript>
-    <div id="root" @Html.Raw(Html.ApplyPlatformNavigation()) style="z-index:auto;" data-module-shell-path="@EPiServer.Shell.Paths.ToResource("EPiServer.Marketing.Testing", "")"></div>
+    <div id="root" @Html.Raw(Html.ApplyPlatformNavigation()) style="z-index:auto;" 
+        data-module-shell-path="@EPiServer.Shell.Paths.ToResource("EPiServer.Marketing.Testing", "")"
+        data-epi-antiforgery-header-name="@Model.AntiforgeryOptions.HeaderName"
+        data-epi-antiforgery-form-field-name="@Model.AntiforgeryOptions.FormFieldName">
+    </div>
     @ClientResources.RenderResources("ABTestingConfig", new[] { ClientResourceType.Script })
 </body>
 </html>
diff --git a/src/EPiServer.Marketing.Testing.Web/Models/DefaultViewModel.cs b/src/EPiServer.Marketing.Testing.Web/Models/DefaultViewModel.cs
@@ -0,0 +1,9 @@
+using Microsoft.AspNetCore.Antiforgery;
+
+namespace EPiServer.Marketing.Testing.Web.Models
+{
+    public class DefaultViewModel
+    {
+        public AntiforgeryOptions AntiforgeryOptions { get; set; }
+    }
+}