Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing Request AntiForgery Token #316

Closed
1 of 4 tasks
BillyShelton opened this issue May 1, 2024 · 0 comments
Closed
1 of 4 tasks

Missing Request AntiForgery Token #316

BillyShelton opened this issue May 1, 2024 · 0 comments
Labels
bug Something isn't working
Milestone
01.13.01

Comments

@BillyShelton
Copy link

Sponsorship

If this request requires additional support (e.g., such as direct email/phone/meeting/development), I have the following interest in helping to sponsor the effort via GitHub Sponsors:

  • None, please continue to work for me for free :P
  • Absolutely, I get value out of this!
  • Maybe later
  • I'm already a sponsor... Woot!

Describe the bug

The Request AntiForgery Token is not available when making an API call to a controller from the SPA. Apparently, DNN only outputs the Token for Admins or if the search box is present in the skin. For a non-Admin user on a page without a search box, the Token isn't present and thus any AJAX calls to a controller that uses [ValidateAntiForgeryToken] will fail as 404 - unauthorized.
Note: I only tested this with the Vue 3 Template, but I assume it would be an issue on other templates as well.

Software Versions

  • DNN: 09.13.02
  • Vue 3 Generator Template

To Reproduce

Steps to reproduce the behavior:

  1. Generate a Vue 3 module using the generator.
  2. Place it on a page with a skin that doesn't have a search box.
  3. Access the page when not logged in.
  4. Attempt to access an API call that has the [ValidateAntiForgeryToken] attribute.
  5. DevTools shows no RequestVerificationToken is present.

Expected behavior

The Token should be present client side and sent with the API call.

Actual behavior

The Token is not available client side.

Solution

The solution is to force DNN To create the Token. I have only tested this for the Vue 3 template, but adding
data-anti-forgery-token="[AntiForgeryToken:true]" to the app div solves the issue. So for the Vue 3 template, the view.html file in the root folder of the module can be modified to:

<div id="Items-[ModuleContext:ModuleId]">
    <div id="app-[ModuleContext:ModuleId]"
         class="appModule"
         data-moduleid="[ModuleContext:ModuleId]"
         data-tabid="[ModuleContext:TabId]"
         data-editmode="[ModuleContext:EditMode]"
         data-anti-forgery-token="[AntiForgeryToken:true]" 
         data-apibaseurl=""></div>
</div>

Additional context

see discussion https://stackoverflow.com/questions/53206077/dnn-spa-module-with-webapi-works-for-administrators-but-not-for-registered-users
@WillStrohl WillStrohl added the bug Something isn't working label Nov 14, 2024
@WillStrohl WillStrohl added this to the 01.13.01 milestone Nov 14, 2024
@alejoroman0605 alejoroman0605 mentioned this issue Nov 15, 2024
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
01.13.01
Development

No branches or pull requests
2 participants
@WillStrohl @BillyShelton