Skip to content

Remove Auth validation when Form File upload #42586

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
brunolins16 merged 2 commits into from
Jul 11, 2022
Merged

Remove Auth validation when Form File upload #42586

brunolins16 merged 2 commits into from
Jul 11, 2022

Conversation

@brunolins16
Copy link
Member

@brunolins16 brunolins16 commented Jul 5, 2022
edited
Loading

Today, a Minimal endpoint does not allow a Form File(s) upload when any kind of authentication is detected, and a request will fail for all the following scenarios:

  • A client certificate is present, or
  • A Authorization header is set, or
  • Has cookies

This behavior was initially decided since we do not have any kind of in-box antiforgery mechanism for Minimal APIs.

This PR is related to our decision the change it and remove all these validations (same behavior existing in API Controllers) and allow all Form File(s) requests as default.

In addition, the documentation will be improved to show how to manually add support for antiforgery scenarios using IAntiforgery services.

Closes #38630

@brunolins16 brunolins16 requested review from a team and blowdart July 5, 2022 22:03
@ghost ghost added the area-runtime label Jul 5, 2022
@blowdart
Copy link
Contributor

blowdart commented Jul 5, 2022

Please link to docs PR :)

davidfowl
davidfowl approved these changes Jul 6, 2022
View reviewed changes
Copy link
Member

@davidfowl davidfowl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, what @blowdart said 😄

This was referenced Jul 7, 2022
Closed
Merged
@brunolins16
Copy link
Member Author

brunolins16 commented Jul 11, 2022

Merging this PR and I have dotnet/AspNetCore.Docs#26386 in review for documentation changes.

@brunolins16 brunolins16 merged commit 788711e into dotnet:main Jul 11, 2022
@ghost ghost added this to the 7.0-preview7 milestone Jul 11, 2022
@martincostello martincostello mentioned this pull request Jul 19, 2022
Merged
@brunolins16 brunolins16 deleted the brunolins16/issues/38630 branch August 2, 2022 20:46
@adityamandaleeka adityamandaleeka added the blog-candidate Consider mentioning this in the release blog post label Aug 4, 2022
@ghost
Copy link

ghost commented Aug 4, 2022

@brunolins16, this change will be considered for inclusion in the blog post for the release it'll ship in. Nice work!

Please ensure that the original comment in this thread contains a clear explanation of what the change does, why it's important (what problem does it solve?), and, if relevant, include things like code samples and/or performance numbers.

This content may not be exactly what goes into the blog post, but it will help the team putting together the announcement.

Thanks!

@amcasey amcasey added area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions and removed area-runtime labels Aug 25, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@davidfowl davidfowl davidfowl approved these changes

@blowdart blowdart Awaiting requested review from blowdart

@Tratcher Tratcher Awaiting requested review from Tratcher

@BrennanConroy BrennanConroy Awaiting requested review from BrennanConroy BrennanConroy is a code owner

@halter73 halter73 Awaiting requested review from halter73 halter73 is a code owner

Assignees

No one assigned

Labels

area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions blog-candidate Consider mentioning this in the release blog post

Projects

None yet

Milestone

7.0-preview7

Development

Successfully merging this pull request may close these issues.

Add antiforgery (anti-csrf) support to minimal endpoints

5 participants

@brunolins16 @blowdart @davidfowl @adityamandaleeka @amcasey