Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

AntiForgeryToken validation failing while deploy on server - 400 Bad Request

See original GitHub issue

I am working on an Angular app with .NET Core and Web API implementation. I am trying to implement Anti forgery Token for APIs. This is working all the time on my local machine but when I deploy this on the Dev environment (cloud) , APIs are sometime working and sometime not working. And When its not working I am getting 400- Bad Request error.

Here is my configuration, Please let me know where did I implement wrong ?

Startup.cs

public void ConfigureServices(IServiceCollection services) 
  {
            this.ConfigureServicesForAuth(services);
            services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1);
            services.AddAntiforgery(options => options.HeaderName = "X-XSRF-TOKEN");
            services.AddMvc(options =>
            options.Filters.Add(new AutoValidateAntiforgeryTokenAttribute()));
}

Interceptor

  intercept(req: HttpRequest<any>, next: HttpHandler): Observable<HttpEvent<any>> {
       const headername = 'X-XSRF-TOKEN';
       const requestToken = this.getCookieValue(environment.TokenName); // declared in environment file with name XSRF-REQUEST-TOKEN-R

       req = req.clone({
       headers: req.headers.append(headername, requestToken)
                                      .append('Cache-Control', 'no-cache')
                                      .append('Pragma', 'no-cache')
                                      .append('Expires', 'Sat, 01 Jan 2000 00:00:00 GMT')
     });

Anti Forgery Controller

    public class AntiForgeryController : Controller
    {
        private IAntiforgery _antiForgery;
        public AntiForgeryController(IAntiforgery antiForgery)
        {
            _antiForgery = antiForgery;
        }
        [Route("antiforgerytoken")]
        [IgnoreAntiforgeryToken]
        public IActionResult GenerateAntiForgeryTokens()
        {
            var tokens = _antiForgery.GetAndStoreTokens(HttpContext);            
            Response.Cookies.Append("XSRF-REQUEST-TOKEN-R", tokens.RequestToken, new Microsoft.AspNetCore.Http.CookieOptions
            {
                Path="/",
                HttpOnly = false
            });
            return NoContent();
        }

        [Route("Startupcall")]
        [IgnoreAntiforgeryToken]
        [HttpPost]
        public IActionResult Startupcall()
        {
            return NoContent();
        }
    }

Service

public GetandSetToken() {
    return this.http.post('api/AntiForgery/Startupcall', {
    }).pipe(
      switchMap(_ => this.http.get('api/AntiForgery/antiforgerytoken'))
    );
  }

Page-base-component.ts

ngOnInit() {
    this.sharedService.GetandSetToken().subscribe(result => {
    });}

Finally in a Controller Method

[Authorize]
[Route("api/[controller]")]
[AutoValidateAntiforgeryToken]

 public partial class EmployeeController : Controller
    {
        private NewDomain _newDomain;
        public MyController(NewDomain newDomain)
        {
            this._newDomain = newDomain;
        }

        [Authorize]
        [HttpPost]
        [Route("DeleteEmployees")]
        public async Task<IActionResult> DeleteEmployees(int departmentId , [FromBody]IEnumerable<EmployeeDetails> objListEmployeeDetails)
        {
            await _newDomain.DeleteEmployees(objListEmployeeDetails);
            return Ok();
        }
}