AutoValidateAntiforgeryToken always causing 400 Bad Request to return

Question

I'm looking to utilise an XSRF token with my .NET Core 2 API. I'm using a Vue.Js front-end.

I have the back-end configured correctly as instructed here: https://stackoverflow.com/a/44035774/2027404

Once logging in, I create a cookie called "XSRF-TOKEN" and I've written an interceptor in Vue to mimic what AngularJS does, it looks for the cookie and appends the XSRF token with header "X-XSRF-TOKEN" to the controller route that is protected by an [AutoValidateAntiforgeryToken] attribute.

Below is an example trace of a Post request that is made after the cookie is persisted and login is completed:

POST /api/auth/Test HTTP/1.1
Host: localhost:5000
Connection: keep-alive
Content-Length: 0
Origin: http://localhost:5000
X-XSRF-TOKEN: CfDJ8Ku5qKiYnPBCmHLFQRR3pGmv482utwpDs1AssvvtQ1yf2eGgasNE4DOTdxivPLqv5e4TGuG800elYMFyJqTC7bzOfnY0HVCUD-Dw0pn-bkBZeN2GjBBvqMJ79Vcwun4khLe9qlzxyBTB0W1XEu_OJq0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.167 Safari/537.36
Content-Type: application/json;charset=utf-8
Accept: application/json, text/plain, */*
X-Requested-With: XMLHttpRequest
Referer: http://localhost:5000/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: XSRF-TOKEN=CfDJ8Ku5qKiYnPBCmHLFQRR3pGmv482utwpDs1AssvvtQ1yf2eGgasNE4DOTdxivPLqv5e4TGuG800elYMFyJqTC7bzOfnY0HVCUD-Dw0pn-bkBZeN2GjBBvqMJ79Vcwun4khLe9qlzxyBTB0W1XEu_OJq0

So the point really is to prove that not only is my cookie sent but I am including the header which is expected by my Startup.cs.

        public void ConfigureServices(IServiceCollection services) {
        services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
            .AddJwtBearer(options => {
                options.TokenValidationParameters = new TokenValidationParameters {
                ValidateIssuer = true,
                ValidIssuer = Configuration["JWT:Issuer"],

                ValidateAudience = true,
                ValidAudience = Configuration["JWT:Audience"],

                ValidateIssuerSigningKey = true,

                IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(Configuration["JWT:SecretKey"])),

                ValidateLifetime = true
                };
            });

        services.AddAntiforgery(options => options.HeaderName = "X-XSRF-TOKEN");
        services.AddMvc();
}

My controller method is then as follows:

        [HttpPost ("[action]")]
    //[Authorize]
    [AutoValidateAntiforgeryToken]
    public IActionResult Test () {
        return Ok ("Working fine!");
    }]

I'm definitely not doing anything stupid like pointing at the wrong route. If I disable AVAT and use Authorize instead with JWT (I'm aiming to eventually utilise both JWT & XSRF together to go with the double cookie method for security), I can get a 200 response providing I provide a valid Authentication Bearer token in my request header...

Any ideas as to why this out of the bag functionality isn't playing ball? Always returning 400...

I could show more source code but the proof is in the pudding within the request trace... all the data that should be required, is there.

Thanks

Answer 1

Problem solved.

Ensure to use the IAntiforgery.GetAndStoreTokens(HttpContext) Method to not only give you your XSRF token but also most importantly store the AspNetCore.Antiforgery token that .NET Core expects by default using this form of authentication.

I was using IAntiforgery.GetTokens(HttpContext) only as in the linked stack overflow post above and while it was allowing me to fetch my XSRF token and append it to my header, I was missing the antiforgery cookie.