Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[7.0 preview 1] HTTP DELETE sometimes treated as HTTP POST

See original GitHub issue

Is there an existing issue for this?

  • I have searched the existing issues

Describe the bug

This is a bit of a weird one, and I’m not sure exactly what’s at fault, but code that works fine with ASP.NET Core 6 is not working some of the time with ASP.NET Core 7 preview 1.

Testing a sample app of mine with preview 1 is getting test failures in UI tests that attempt to delete items from a Razor Pages UI using some Minimal API endpoints. The upgrade PR illustrating the issue is here: martincostello/dotnet-minimal-api-integration-testing#257.

Some UI tests fail in GitHub Actions on Linux and Windows, but none of the UI tests on macOS do.

Debugging this locally on my Windows 11 laptop, I’ve been able to fairly reliably repo the issue with Firefox but not with Chrome.

The behaviour is that attempting to delete a second Todo item from the application via the UI fails with an HTTP 400 error, which appears to be coming from anti-forgery.

Turning up logging and looking at the Network tab in Firefox appears to show that the second HTTP DELETE request from the browser is being interpreted by the app as an HTTP POST, which then doesn’t match the Minimal API delete endpoint, and then goes through into MVC, where it then hits anti-forgery because there’s no request token.

MVC blocking the request due to the missing token makes sense, but the sample app shouldn’t be getting that far, as it should be just going to the Minimal API’s delete endpoint.

Specific lines from the application logs that are interesting are shown below, with the full logs at the bottom of this issue.

First working request for the HTTP DELETE:

info: Microsoft.AspNetCore.Hosting.Diagnostics[1]
      Request starting HTTP/2 DELETE https://localhost:5001/api/items/dcd544d4-ff5a-4828-ad35-a6420acec150 - -
<snip>
info: Microsoft.AspNetCore.Hosting.Diagnostics[2]
      Request finished HTTP/2 DELETE https://localhost:5001/api/items/dcd544d4-ff5a-4828-ad35-a6420acec150 - - - 204 - - 215.2596ms

Second failing request for the HTTP DELETE:

info: Microsoft.AspNetCore.Hosting.Diagnostics[1]
      Request starting HTTP/2 POST https://localhost:5001/api/items/45ef5916-2b04-4d2a-b060-58fc1105e0c2 - -
trce: Microsoft.AspNetCore.HostFiltering.HostFilteringMiddleware[2]
      All hosts are allowed.
dbug: Microsoft.AspNetCore.Routing.Matching.DfaMatcher[1001]
      1 candidate(s) found for the request path '/api/items/45ef5916-2b04-4d2a-b060-58fc1105e0c2'
dbug: Microsoft.AspNetCore.Routing.EndpointRoutingMiddleware[1]
      Request matched endpoint '405 HTTP Method Not Supported'
<snip>
trce: Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.PageActionInvoker[2]
      Authorization Filter: Before executing OnAuthorizationAsync on filter Microsoft.AspNetCore.Mvc.ViewFeatures.Filters.AutoValidateAntiforgeryTokenAuthorizationFilter.
info: Microsoft.AspNetCore.Mvc.ViewFeatures.Filters.AutoValidateAntiforgeryTokenAuthorizationFilter[1]
      Antiforgery token validation failed. The required antiforgery header value "RequestVerificationToken" is not present.
      Microsoft.AspNetCore.Antiforgery.AntiforgeryValidationException: The required antiforgery header value "RequestVerificationToken" is not present.
         at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgery.ValidateRequestAsync(HttpContext httpContext)
         at Microsoft.AspNetCore.Mvc.ViewFeatures.Filters.ValidateAntiforgeryTokenAuthorizationFilter.OnAuthorizationAsync(AuthorizationFilterContext context)
trce: Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.PageActionInvoker[3]
      Authorization Filter: After executing OnAuthorizationAsync on filter Microsoft.AspNetCore.Mvc.ViewFeatures.Filters.AutoValidateAntiforgeryTokenAuthorizationFilter.
info: Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.PageActionInvoker[3]
      Authorization failed for the request at filter 'Microsoft.AspNetCore.Mvc.ViewFeatures.Filters.AutoValidateAntiforgeryTokenAuthorizationFilter'.
<snip>
info: Microsoft.AspNetCore.Hosting.Diagnostics[2]
      Request finished HTTP/2 POST https://localhost:5001/api/items/45ef5916-2b04-4d2a-b060-58fc1105e0c2 - - - 400 0 - 46.7893ms

Screenshot showing the two HTTP DELETE calls

image

Application logs

delete-fails-logs.txt

Expected Behavior

The HTTP DELETE succeeds.

Steps To Reproduce

  • Clone martincostello/dotnet-minimal-api-integration-testing@8e09b89d7d3699deeb21688adaec1f3ca85e1dfe
  • Configure GitHub auth secrets
  • Run the application
  • Navigate to https://localhost:5001 in Firefox
  • Create two new Todo items
  • Delete the two Todo items - the second delete should fail

Exceptions (if any)

No response

.NET Version

7.0.100-preview.1.22110.4

Anything else?

No response

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:10 (10 by maintainers)

github_iconTop GitHub Comments

1reaction
adityamandaleekacommented, Mar 2, 2022
1reaction
adityamandaleekacommented, Mar 1, 2022

Reopening to get this into Preview 2.

Read more comments on GitHub >

github_iconTop Results From Across the Web

REST HTTP status code if DELETE impossible
The 409 (Conflict) status code indicates that the request could not be completed due to a conflict with the current state of the...
Read more >
How to handle a request to delete and post?
Essentially, this means that an item is deleted from table 1 and an item is posted to table 2. However, I assume it...
Read more >
Mass delete via HTTP/Rest how do you do it?
In the project I am working on, we have a need to sometimes delete several items at once. The UI would send a...
Read more >
HTTP DELETE Flood | MazeBolt Knowledge Base
An HTTP DELETE Flood consists of DELETE requests. Unlike other HTTP floods that may include other request methods such as POST, PUT, GET,...
Read more >
How is HTTP PUT and DELETE methods insecure, if they ...
PUT and DELETE are not intrinsically insecure, they are used without problems at many REST services for example.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

staticwebassets.runtime.json also includes files from referenced RCL NuGet package

Next page

Add RenderFragment-like functionality to pure partials and view components in pure Razor SST