AspNetCoreExperiments icon indicating copy to clipboard operation
AspNetCoreExperiments copied to clipboard
verified publisher icon damienbod

Can you use this.jSRuntime.InvokeAsync inside DelegatingHandler?

Open VictorioBerra opened this issue 2 years ago • 1 comments

I want to add a typed client here https://github.com/damienbod/AspNetCoreExperiments/blob/main/BlazorBffAzureADWithApi/Client/Program.cs#L25

But I cant because my clients must be created with IAntiforgeryHttpClientFactory so that IJSRuntime can work.

Would it work to use DelegatingHandler instead and that way any typed clients inherit that ability?

IE:

builder.Services
  .AddHttpClient("authorizedClient", client =>
  {
      client.BaseAddress = new Uri(builder.HostEnvironment.BaseAddress);
      client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
  })
  .AddTypedClient<IGitHubAPIClient>() // Will not pass antiforgery token!!! Must be created with IAntiforgeryHttpClientFactory!!! <---------
  .AddHttpMessageHandler<AuthorizedHandler>();

builder.Services.AddTransient(sp => sp.GetRequiredService<IHttpClientFactory>().CreateClient("default"));
builder.Services.AddTransient<IAntiforgeryHttpClientFactory, AntiforgeryHttpClientFactory>();

VictorioBerra avatar Jul 08 '23 00:07 VictorioBerra

@VictorioBerra I would need to test this, don't know :)

FYI You could also use a HTTP custom header instead of anti-forgery tokens to protect against this threat as well. Validate this on the backend. (forces preflight requests)

Interested if you find a solution.

Greetings Damien

damienbod avatar Jul 10 '23 06:07 damienbod