Skip to main content

Umbraco Tip: How to securely fix "SurfaceController POST not allowed outside Umbraco due to missing antiforgery token"

Today, I was working on a v8 to v13 upgrade project, and I realised that I couldn't access my [HttpPost] actions in a SurfaceController from an Ajax POST call.

After trying some solutions without any luck, including Route attributes to the SurfaceController and actions, I found out that starting from Umbraco v9, the SurfaceControllers have the anti-forgery check by default as SurfaceControllers are primarily made for POSTing forms within Umbraco. 

To resolve this issue, I added the following beforeSend bit to my Ajax call and also added the [ValidateAntiForgeryToken] attribute to my actions in my SurfaceController.

During tests, I also realised that I could ignore the anti-forgery token completely by adding the [IgnoreAntiforgeryToken] attribute to my actions, but this is not an option that anybody should go for as this option skips the anti-forgery token validation and makes your website more vulnerable for things like Cross-site request forgery attacks. 

$.ajax({
  url: `/umbraco/surface/Nomination/${isReviewers ? "SearchReviewers" : "SearchFellows"}?term=${term}`,
  type: "POST",
  contentType: "application/json; charset=utf-8",
  beforeSend: function (xhr) {
      xhr.setRequestHeader("RequestVerificationToken",
          $('input:hidden[name="__RequestVerificationToken"]').val());
  },
  complete: function (xhr) {
....


        [HttpPost]
        //[IgnoreAntiforgeryToken]
        [ValidateAntiForgeryToken]
        public async Task<IActionResult> SearchFellows(string term)
        {
           ...
            return Json(results);
        }

        [HttpPost]
        //[IgnoreAntiforgeryToken]
        [ValidateAntiForgeryToken]
        public async Task<IActionResult> SearchReviewers(string term)
        {
            ...

            return Json(results);
        }

That's all. Big thanks to fellow Umbraco people who have contributed to this Umbraco GitHub issue: https://github.com/umbraco/UmbracoDocs/issues/3242

Labels:

Comments

Post a Comment

Popular posts from this blog

How to fix Git push error: "RPC failed; curl 56 HTTP/2 stream 7 was reset send-pack: unexpected disconnect while reading sideband packet fatal: the remote end hung up unexpectedly"

Problem Today I saw the following problem when I tried to push my changes to a Git server after doing some work for upgrading an Umbraco v7 project to v8.18.8.  Possible reasons After some investigations, it seems like this could be because of the following reasons; Git is not happy with the amount of changes that are being pushed into the server.  There are possible limitations on the server about the size/amount of files that you can push. Your internet connection is not good and stable enough. Your Git client's version is old. Solution options For me, the easiest option was connecting to another Wifi and trying again. Apparently, this option helped quite a few people, so it is worth giving it a try. Unfortunately, it didn't work for me. A bad internet connection wasn't an option for me either, as my internet is pretty fast (500 Mbps). Similarly, my Git client version was the latest version (git version 2.41.0.windows.3).  On StackOverflow, there were a lot of recommend...
Post a Comment
Read more

How to fix "Microsoft SQL Error SQL71564: Error validating element [USERNAME]: The element [USERNAME] has been orphaned from its login and cannot be deployed."

I needed to export a database in BACPAC format today in order to restore it somewhere else, and I encountered the following error. To resolve this issue, I deleted all of the users mentioned in the error log. After successfully creating the BACPAC file, I used it to create a new database with no problems. Error: TITLE: Microsoft SQL Server Management Studio ------------------------------ One or more unsupported elements were found in the schema used as part of a data package. Error SQL71564: Error validating element [USER1]: The element [USER1] has been orphaned from its login and cannot be deployed. Error SQL71564: Error validating element [USER2]: The element [USER2] has been orphaned from its login and cannot be deployed. Error SQL71564: Error validating element [USER3]: The element [USER3] has been orphaned from its login and cannot be deployed. Error SQL71564: Error validating element [USER4]: The element [USER4] has been orphaned from its login and cannot be deployed. Error SQL71...
Post a Comment
Read more

How to use JQuery Ajax Methods for Async ASP.NET MVC Action Methods

Making repeatedly calls to async methods can be a nightmare. In this case, it makes sense to use 2 ajax methods, instead of one. Here is a simple solution to overcome this problem. See that  ajaxcalls   is emptied after the success response for the first ajax call and then the second ajax method is used to make one single call to the async action method. Hope it helps. View: @section Scripts{     < script type ="text/javascript">         var smartDebitObject = new Object();         smartDebitObject.MembershipNumber = $( "#MembershipNumber" ).val();         smartDebitObject.ProfileId = $( "#ProfileId" ).val();         smartDebitObject.FirstName = $( "#FirstName" ).val();         smartDebitObject.LastName = $( "#LastName" ).val();     ...
Post a Comment
Read more