feat: implement anti-forgery token handling in API and frontend

Author: ChaosEngine

.github/workflows/codeql-analysis.yml

@@ -43,7 +43,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@v4
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -54,7 +54,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v3
+      uses: github/codeql-action/autobuild@v4
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -68,4 +68,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@v4

src/IdentityManager2/Api/Controllers/RolesController.cs

@@ -68,6 +68,7 @@ public async Task<IActionResult> GetRolesAsync(string filter = null, int start =
 
         // POST 
         [HttpPost, Route("", Name = IdentityManagerConstants.RouteNames.CreateRole)]
+		[ValidateAntiForgeryToken]
         public async Task<IActionResult> CreateRoleAsync([FromBody] PropertyValue[] properties)
         {
             var meta = await GetMetadataAsync();
@@ -140,6 +141,7 @@ public async Task<IActionResult> GetRoleAsync(string subject)
         }
 
         [HttpDelete, Route("{subject}", Name = IdentityManagerConstants.RouteNames.DeleteRole)]
+		[ValidateAntiForgeryToken]
         public async Task<IActionResult> DeleteRoleAsync(string subject)
         {
             var meta = await GetMetadataAsync();
@@ -163,6 +165,7 @@ public async Task<IActionResult> DeleteRoleAsync(string subject)
         }
 
         [HttpPut, Route("{subject}/properties/{type}", Name = IdentityManagerConstants.RouteNames.UpdateRoleProperty)]
+		[ValidateAntiForgeryToken]
         public async Task<IActionResult> SetPropertyAsync(string subject, string type)
         {
             if (IsNullOrWhiteSpace(subject))

src/IdentityManager2/Api/Controllers/UsersController.cs

@@ -55,6 +55,7 @@ public async Task<IActionResult> GetUsersAsync(string filter = null, int start =
         }
 
         [HttpPost("", Name = IdentityManagerConstants.RouteNames.CreateUser)]
+		[ValidateAntiForgeryToken]
         public async Task<IActionResult> CreateUserAsync([FromBody] PropertyValue[] properties)
         {
             var meta = await GetMetadataAsync();
@@ -135,6 +136,7 @@ public async Task<IActionResult> GetUserAsync(string subject)
         }
 
         [HttpDelete, Route("{subject}", Name = IdentityManagerConstants.RouteNames.DeleteUser)]
+		[ValidateAntiForgeryToken]
         public async Task<IActionResult> DeleteUserAsync(string subject)
         {
             var meta = await GetMetadataAsync();
@@ -164,6 +166,7 @@ public async Task<IActionResult> DeleteUserAsync(string subject)
         }
 
         [HttpPut, Route("{subject}/properties/{type}", Name = IdentityManagerConstants.RouteNames.UpdateUserProperty)]
+		[ValidateAntiForgeryToken]
         public async Task<IActionResult> SetPropertyAsync(string subject, string type)
         {
             if (IsNullOrWhiteSpace(subject))
@@ -194,6 +197,7 @@ public async Task<IActionResult> SetPropertyAsync(string subject, string type)
         }
 
         [HttpPost, Route("{subject}/claims", Name = IdentityManagerConstants.RouteNames.AddClaim)]
+		[ValidateAntiForgeryToken]
         public async Task<IActionResult> AddClaimAsync(string subject, [FromBody] ClaimValue model)
         {
             var meta = await GetMetadataAsync();
@@ -229,6 +233,7 @@ public async Task<IActionResult> AddClaimAsync(string subject, [FromBody] ClaimV
         }
 
         [HttpDelete, Route("{subject}/claims/{type}/{value}", Name = IdentityManagerConstants.RouteNames.RemoveClaim)]
+		[ValidateAntiForgeryToken]
         public async Task<IActionResult> RemoveClaimAsync(string subject, string type, string value)
         {
             type = type.FromBase64UrlEncoded();
@@ -257,6 +262,7 @@ public async Task<IActionResult> RemoveClaimAsync(string subject, string type, s
         }
 
         [HttpPost, Route("{subject}/roles/{role}", Name = IdentityManagerConstants.RouteNames.AddRole)]
+		[ValidateAntiForgeryToken]
         public async Task<IActionResult> AddRoleAsync(string subject, string role)
         {
             var meta = await GetMetadataAsync();
@@ -282,6 +288,7 @@ public async Task<IActionResult> AddRoleAsync(string subject, string role)
         }
 
         [HttpDelete, Route("{subject}/roles/{role}", Name = IdentityManagerConstants.RouteNames.RemoveRole)]
+		[ValidateAntiForgeryToken]
         public async Task<IActionResult> RemoveRoleAsync(string subject, string role)
         {
             var meta = await GetMetadataAsync();

src/IdentityManager2/Areas/IdentityManager/Pages/Index.cshtml

@@ -13,6 +13,7 @@
     <link rel="shortcut icon" type="image/x-icon" href="@Model.PathBase/assets/Content.favicon.ico" />
 </head>
 <body lang="en" ng-app="ttIdmApp" ng-csp ng-controller="LayoutCtrl" ng-cloak>
+    @Html.AntiForgeryToken()
 
     <div ng-include="'@Model.PathBase/assets/Templates.navbar.html'"></div>
 

src/IdentityManager2/Assets/Scripts/App/ttIdm.js

@@ -11,6 +11,25 @@
             return {
                 'request': function(config) {
                     idmErrorService.clear();
+                    
+                    // Add anti-forgery token for non-GET requests
+                    if (config.method && config.method !== 'GET') {
+                        try {
+                            const rvt = document.querySelector('input[name="__RequestVerificationToken"]');
+                            if (rvt) {
+                                const token = rvt.value;
+                                if (token) {
+                                    if (!config.headers) {
+                                        config.headers = {};
+                                    }
+                                    config.headers.RequestVerificationToken = token;
+                                }
+                            }
+                        } catch (e) {
+                            console.error("Failed to extract antiforgery token:", e);
+                        }
+                    }
+                    
                     return config;
                 },
                 'responseError': function(response) {

src/IdentityManager2/Assets/Scripts/Bundle.js

@@ -19,6 +19,14 @@ public static IIdentityManagerBuilder AddIdentityManager(this IServiceCollection
             var identityManagerOptions = services.BuildServiceProvider().GetRequiredService<IOptions<IdentityManagerOptions>>().Value;
             identityManagerOptions.Validate();
 
+            services.AddAntiforgery(options =>
+            {
+                // options.HeaderName = "X-XSRF-TOKEN";
+                // options.Cookie.Name = "XSRF-TOKEN";
+                options.Cookie.HttpOnly = false;
+                options.Cookie.SameSite = SameSiteMode.Strict;
+            });
+
             services.AddControllersWithViews()
             .AddJsonOptions(static options =>
             {