Antiforgery example

[dharmatech]

Introduction

I finally added antiforgery protection to mvc-movie-giraffe.

I hadn't seen any examples of antiforgery with Giraffe yet so I thought I'd post here on how it can be setup.

Below I describe how it was setup for the form that is used to create new movie entries.

Setup

In configureServices, add the following line:

services.AddAntiforgery() |> ignore

Now it's available as a "service" that we can pull into various functions.

GET handler for create

In our create_handler, we'll pull in this service:

let antiforgery = ctx.RequestServices.GetService(typeof<Microsoft.AspNetCore.Antiforgery.IAntiforgery>) :?> Microsoft.AspNetCore.Antiforgery.IAntiforgery

Get and store the tokens (as well as hold on to the token set):

let token_set = antiforgery.GetAndStoreTokens(ctx)

We'll pass the request token to the view so that it can use it in the form:

let view = Views.create token_set.RequestToken

The entire create_handler:

let create_handler : HttpHandler =
    fun  (next : HttpFunc) (ctx : HttpContext) ->

        let antiforgery = ctx.RequestServices.GetService(typeof<Microsoft.AspNetCore.Antiforgery.IAntiforgery>) :?> Microsoft.AspNetCore.Antiforgery.IAntiforgery
        
        let token_set = antiforgery.GetAndStoreTokens(ctx)

        let view = Views.create token_set.RequestToken

        htmlView view next ctx

The view

OK, so now the create view accepts the request token:

let create (request_token : string) =

and uses it here:

input [ 
    _name "__RequestVerificationToken"
    _type "hidden"
    _value request_token
]

When the form is submitted, the handler for the POST call will get invoked. Let's update that to check the request token.

POST handler for create

We pull in the antiforgery service:

let antiforgery = ctx.RequestServices.GetService(typeof<Microsoft.AspNetCore.Antiforgery.IAntiforgery>) :?> Microsoft.AspNetCore.Antiforgery.IAntiforgery

We check to see if the request token is valid:

if Async.RunSynchronously(Async.AwaitTask(antiforgery.IsRequestValidAsync(ctx))) then

If it is, we continue on to add the movie. Otherwise, we return a 400 (bad request).

The entire handler is here.

[baronfel]

Sounds about right to me. Also check out Saturn's implementation, the big difference there is a helper function for creating a form with the hidden input created for you.

[TheAngryByrd]

Super minor but you shouldn't use Async.RunSynchronously in your handler. Yeah it's sucks there's no if! yet to be able to bind a task.

let! isRequestValid = Async.AwaitTask(antiforgery.IsRequestValidAsync(ctx))
if isRequestValid then
  ...
else
  ...

If you still want to keep it in line you can use match!:

match! Async.AwaitTask(antiforgery.IsRequestValidAsync(ctx)) with
| true -> ...
| false -> ...

[dharmatech]

I'm new to F# so I appreciate suggestions like this. Thanks @TheAngryByrd !

I've updated the code to use the let! approach.

[64J0]

This seems a good candidate to be added to the samples/ folder at this repository!