(#173) Backend for Frontend (BFF)

phongnguyend · Aug 6, 2023 · 5c18139 · 5c18139
1 parent dced59c
commit 5c18139
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 1 deletion.
diff --git a/src/UIs/bff/ReverseProxy.Yarp/Controllers/AuthenticationController.cs b/src/UIs/bff/ReverseProxy.Yarp/Controllers/AuthenticationController.cs
@@ -1,4 +1,5 @@
-using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Antiforgery;
+using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Authentication.Cookies;
 using Microsoft.AspNetCore.Authentication.OpenIdConnect;
 using Microsoft.AspNetCore.Mvc;
@@ -7,6 +8,13 @@ namespace ReverseProxy.Yarp.Controllers
 {
     public class AuthenticationController : ControllerBase
     {
+        private readonly IAntiforgery _forgeryService;
+
+        public AuthenticationController(IAntiforgery forgeryService)
+        {
+            _forgeryService = forgeryService;
+        }
+
         [HttpGet("/login")]
         public async Task LoginAsync(string returnUrl)
         {
@@ -35,6 +43,9 @@ public IActionResult UserInfor()
         {
             if (HttpContext.User.Identity?.IsAuthenticated ?? false)
             {
+                var tokens = _forgeryService.GetAndStoreTokens(HttpContext);
+                HttpContext.Response.Cookies.Append("PHONG-XSRF-TOKEN", tokens.RequestToken!, new CookieOptions { HttpOnly = false });
+
                 return Ok(new
                 {
                     Id = "",

diff --git a/src/UIs/bff/ReverseProxy.Yarp/Program.cs b/src/UIs/bff/ReverseProxy.Yarp/Program.cs
@@ -1,8 +1,10 @@
+using Microsoft.AspNetCore.Antiforgery;
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Authentication.Cookies;
 using Microsoft.AspNetCore.Authentication.OpenIdConnect;
 using Microsoft.IdentityModel.Protocols.OpenIdConnect;
 using ReverseProxy.Yarp.ConfigurationOptions;
+using System.Net;
 using System.Net.Http.Headers;
 using Yarp.ReverseProxy.Transforms;
 
@@ -37,6 +39,8 @@ public static void Main(string[] args)
 
             services.AddControllers();
 
+            services.AddAntiforgery(options => options.HeaderName = "X-XSRF-TOKEN");
+
             services.AddAuthentication(options =>
             {
                 options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
@@ -66,6 +70,25 @@ public static void Main(string[] args)
 
             app.MapControllers();
 
+            app.Use(async (context, next) =>
+            {
+                if (context.Request.Path.Value?.StartsWith("/api/", StringComparison.OrdinalIgnoreCase) ?? false)
+                {
+                    try
+                    {
+                        var antiForgeryService = context.RequestServices.GetRequiredService<IAntiforgery>();
+                        await antiForgeryService.ValidateRequestAsync(context);
+                    }
+                    catch (AntiforgeryValidationException)
+                    {
+                        context.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
+                        return;
+                    }
+                }
+
+                await next(context);
+            });
+
             app.MapReverseProxy();
 
             app.MapForwarder("{**rest}", "http://localhost:3000");

diff --git a/src/UIs/bff/reactjs/src/containers/Auth/authInterceptors.tsx b/src/UIs/bff/reactjs/src/containers/Auth/authInterceptors.tsx
@@ -2,6 +2,11 @@ import { login, logout } from "./authService";
 
 const addAuthInterceptors = (axios) => {
   axios.interceptors.request.use((config) => {
+    const xsrfToken = document
+      .cookie!.split("; ")!
+      .find((row) => row.startsWith("PHONG-XSRF-TOKEN="))!
+      .split("=")[1];
+    config.headers["X-XSRF-TOKEN"] = xsrfToken;
     return config;
   });
   axios.interceptors.response.use(