From 6cae355cb2756ae01d3305d2afbd7ae84755d25a Mon Sep 17 00:00:00 2001 From: Anton Terentev Date: Tue, 4 Jun 2024 10:06:52 +0300 Subject: [PATCH] Add Antiforgery and CORS policies to application In this commit, Antiforgery and CORS (Cross Origin Resource Sharing) policies have been added to the web application builder. A special "SkinServicePolicy" has been configured to allow any origin, method, and header. Moreover, the antiforgery validation has been disabled on specific endpoints to prevent cross site request forgery attacks. --- .../Application/ApplicationExtensions.cs | 33 +++++++++---------- 1 file changed, 15 insertions(+), 18 deletions(-) diff --git a/src/Gml.Web.Skin.Service/Core/Extensions/Application/ApplicationExtensions.cs b/src/Gml.Web.Skin.Service/Core/Extensions/Application/ApplicationExtensions.cs index 2dc74f9..f27ca53 100644 --- a/src/Gml.Web.Skin.Service/Core/Extensions/Application/ApplicationExtensions.cs +++ b/src/Gml.Web.Skin.Service/Core/Extensions/Application/ApplicationExtensions.cs @@ -5,13 +5,24 @@ namespace Gml.Web.Skin.Service.Core.Extensions.Application; public static class ApplicationExtensions { + private static string _policyName = "SkinServicePolicy"; + public static WebApplicationBuilder CreateService(this WebApplicationBuilder builder) { builder.Services.AddEndpointsApiExplorer(); builder.Services.AddSwaggerGen(); + builder.Services.AddAntiforgery(); builder.Services.AddAutoMapper(typeof(TextureMapper)); + builder.Services + .AddCors(o => o.AddPolicy(_policyName, policyBuilder => + { + policyBuilder.AllowAnyOrigin() + .AllowAnyMethod() + .AllowAnyHeader(); + })); + CheckFolders(); return builder; @@ -32,9 +43,10 @@ public static WebApplication Run(this WebApplicationBuilder builder) app.UseSwagger(); app.UseSwaggerUI(); - + app.UseCors(_policyName); // app.UseHttpsRedirection(); app.AddRoutes(); + app.UseAntiforgery(); app.Run(); @@ -45,7 +57,7 @@ private static WebApplication AddRoutes(this WebApplication app) { app.MapGet("/{userName}", TextureRequests.GetUserTexture); - app.MapPost("/skin/{userName}", TextureRequests.LoadSkin); + app.MapPost("/skin/{userName}", TextureRequests.LoadSkin).DisableAntiforgery(); app.MapGet("/skin/{userName}/{uuid?}", TextureRequests.GetSkin); app.MapGet("/skin/{userName}/head/{size}", TextureRequests.GetSkinHead); app.MapGet("/skin/{userName}/front/{size}", TextureRequests.GetSkinFront); @@ -53,7 +65,7 @@ private static WebApplication AddRoutes(this WebApplication app) app.MapGet("/skin/{userName}/full-back/{size}", TextureRequests.GetSkinAndCloakBack); app.MapGet("/cloak/{userName}/{uuid?}", TextureRequests.GetCloakTexture); - app.MapPost("/cloak/{userName}", TextureRequests.LoadCloak); + app.MapPost("/cloak/{userName}", TextureRequests.LoadCloak).DisableAntiforgery();; app.MapGet("/cloak/{userName}/front/{size}", TextureRequests.GetCloak); app.MapGet("/refresh/{userName}", TextureRequests.RefreshCache); @@ -61,18 +73,3 @@ private static WebApplication AddRoutes(this WebApplication app) return app; } } - -// app.MapGet("/weatherforecast", () => -// { -// var forecast = Enumerable.Range(1, 5).Select(index => -// new WeatherForecast -// ( -// DateOnly.FromDateTime(DateTime.Now.AddDays(index)), -// Random.Shared.Next(-20, 55), -// summaries[Random.Shared.Next(summaries.Length)] -// )) -// .ToArray(); -// return forecast; -// }) -// .WithName("GetWeatherForecast") -// .WithOpenApi();