Anti forgery tokens

16 posts, 1 answers
  1. Felipe Casanova
    Felipe Casanova avatar
    56 posts
    Member since:
    Feb 2010

    Posted 08 May 2012 Link to this post

    Hi

    It's mentioned here, http://www.kendoui.com/forums/ui/upload/rails-anti-forgery-tokens.aspx, that you plan on making forgery tokens work for the next release. Did that happen and does it work in the DataSource? I'm trying to do exactly what is described here http://stackoverflow.com/questions/4074199/jquery-ajax-calls-and-the-html-antiforgerytoken but not sure how I can make that work.

    Thanks
    Matt 
  2. Alexander Valchev
    Admin
    Alexander Valchev avatar
    2875 posts

    Posted 11 May 2012 Link to this post

    Hello Matt,

    I am glad to inform you that this functionality is available in the latest official release. You can download it from your account and give it a try.

    Greetings,
    Alexander Valchev
    the Telerik team
    Join us on our journey to create the world's most complete HTML 5 UI Framework - download Kendo UI now!
  3. Kendo UI is VS 2017 Ready
  4. Felipe Casanova
    Felipe Casanova avatar
    56 posts
    Member since:
    Feb 2010

    Posted 11 May 2012 Link to this post

    Can you clarify how to use it in the datasource please as I can't find any documentation?
  5. Answer
    Daniel
    Admin
    Daniel avatar
    2117 posts

    Posted 15 May 2012 Link to this post

    Hello Matt,

    I am sorry for the confusion we created. Are you using Rails or ASP.NET MVC?
    If you use the jquery-rails gem, such modification is not needed, and the datasource works out of the box (as it uses jQuery ajax).  
    If you are using MVC, you could add the token to the request either through the request options:

    transport: {
        read: {
            url: url,
            type: "POST",
            data: {
                __RequestVerificationToken: $("input[name=__RequestVerificationToken]").val()
            }
        }

    or through the transport parameterMap function. I attached a sample project which implements this scenario. I hope it helps.

    Greetings,
    Daniel
    the Telerik team
    Join us on our journey to create the world's most complete HTML 5 UI Framework - download Kendo UI now!
  6. Felipe Casanova
    Felipe Casanova avatar
    56 posts
    Member since:
    Feb 2010

    Posted 15 May 2012 Link to this post

    Thanks, very helpful....I should have mentioned MVC.
  7. Ed
    Ed avatar
    1 posts
    Member since:
    Jun 2012

    Posted 19 May 2012 Link to this post

    This great...very informative..thanks....
  8. Michael
    Michael avatar
    40 posts
    Member since:
    Jan 2012

    Posted 25 May 2012 Link to this post

    Hmm, the problem becomes when you submit via ajax AND with a json payload. ASP MVC is hardcoded to look for the token in the form-value collection, which nothing is in there of course when using json types.

    There is a workaround for this in ASP MVC which requires extending the anti-forgery token class in MVC. But to avoid having to take apart the json package twice to get this value out, I am trying to send it in the headers instead (and then have my custom anti-forgery class look for it there).

    The problem is I don't seem to see the header being submitted when the DataSource does its sync. For example: 
    update: {
    url: 'www.fakeurl.com/blah',
    type: "POST",
    dataType: "json",
    contentType: "application/json; charset=utf-8",
    headers: { 'Forgery-Token': $("input[name=__RequestVerificationToken]").val()  }
    }
    Of course, no docs on using the headers but I thought I got that right from another thread. Close? Not close? Any insights why the header isnt being passed?

    Thanks!
    Mike
  9. Michael
    Michael avatar
    40 posts
    Member since:
    Jan 2012

    Posted 29 May 2012 Link to this post

    So no response?? As far as I am concerned, this is still a major issue for ASP MVC devs, since many are posting using the json content type and the Forms collection is not populated if so, which is where MVC is hardcoded to look for this token. 

    All I have seen in the docs/examples (if I remember right) is a statement that the transport operations is just a thin wrapper over the jQuery AJAX call. And many of the config properties match verbatim (and are truly just passed thru). 

    So my question is, is that true for all the allowed $.ajax parameters, including headers? If so, why does my code above not send the declared header? If it is not supported, is there a recommendation for adding a header to these update operations on the transport?

    Thanks!
    Mike
  10. Daniel
    Admin
    Daniel avatar
    2117 posts

    Posted 30 May 2012 Link to this post

    Hello Mike,

    Yes, all jQuery Ajax parameters can be used in the configuration and at least on my side the headers are send with the request. Is the "Forgery" header sent when using a normal request outside of the DataSource? Also, please check if it is sent when using the beforeSend event to add it e.g.

    update: {
        url: url,
        type: "POST",
        dataType: "json",
        contentType: "application/json; charset=utf-8",
        beforeSend: function (xhr) {
            xhr.setRequestHeader('Forgery-Token', $("input[name=__RequestVerificationToken]").val());
        }
    }

    Regards,
    Daniel
    the Telerik team
    Join us on our journey to create the world's most complete HTML 5 UI Framework - download Kendo UI now!
  11. Michael
    Michael avatar
    40 posts
    Member since:
    Jan 2012

    Posted 30 May 2012 Link to this post

    I am an idiot. Longer story shorter, my pages are built dynamically. In the case with the lists (grids), there wasn't a token being created and sent to the client in the first place. That is why it wasn't being sent. :)

    For posterity, I can confirm that both methods work (using headers like I was and your example of using the beforeSend event).

    Thank you for confirming all ajax options are supported!

    Cheers,
    Mike
  12. Matthew
    Matthew avatar
    2 posts
    Member since:
    Feb 2015

    Posted 01 Apr 2015 in reply to Daniel Link to this post

    I am using MVC and the @(Html.Kendo().Grid... syntax with .DataSource(..Server() binding.  Do you all plan to make the __RequestVerificationToken auto handled with this syntax?  Or is there a way to add the parameterMap with this syntax?
  13. Daniel
    Admin
    Daniel avatar
    2117 posts

    Posted 07 Apr 2015 Link to this post

    Hello,

    Adding the token automatically is not planned and a parameterMap function is not available because the requests are made via HTML elements in this mode. It should be possible to pass the token when using server binding by adding it to the route values:
    @{
        var token = Html.AntiForgeryToken().ToHtmlString();
        var tokenValue = new System.Text.RegularExpressions.Regex("value=\"(.*?)\"").Match(token).Groups[1].Value;
        var routeValues = new { __RequestVerificationToken = tokenValue };
    }
    @(Html.Kendo().Grid(Model)
        .Name("grid")
        .DataSource(dataSource => dataSource
            .Server()       
            .Read(read => read.Action("ReadAction", "Controller", routeValues))
            .Update(update => update.Action("UpdateAction", "Controller", routeValues))
            .Create(create => create.Action("CreateAction", "Controller", routeValues))
            .Destroy(destroy => destroy.Action("DestroyAction", "Controller", routeValues))

    For update and create you could also include the token inside an editor used for the grid. 

    Regards,
    Daniel
    Telerik
     
    Join us on our journey to create the world's most complete HTML 5 UI Framework - download Kendo UI now!
     
  14. Matthew
    Matthew avatar
    2 posts
    Member since:
    Feb 2015

    Posted 08 Apr 2015 in reply to Daniel Link to this post

    I am not sure how to make MVC use the new routeValues in the controllers.  Can you provide a sample for that as well?
  15. Atanas Korchev
    Admin
    Atanas Korchev avatar
    8462 posts

    Posted 13 Apr 2015 Link to this post

    Hello Matthew,

    You shouldn't  need to do anything else as long as those routeValues are used in the DataSource configuration.

    The grid will send them as part of the request.

    Read(read => read.Action("ReadAction""Controller", routeValues))
            .Update(update => update.Action("UpdateAction""Controller", routeValues))
            .Create(create => create.Action("CreateAction""Controller", routeValues))
            .Destroy(destroy => destroy.Action("DestroyAction""Controller", routeValues))

     

    What happens when you do that?

    Regards,
    Atanas Korchev
    Telerik
     
    Join us on our journey to create the world's most complete HTML 5 UI Framework - download Kendo UI now!
     
  16. Brad
    Brad avatar
    3 posts
    Member since:
    Jul 2014

    Posted 27 May in reply to Daniel Link to this post

    I've been trying to do this exact thing for a few days with no success.  Here's the DataSource configuration for my server bound mvc grid:

    .DataSource(dataSource => dataSource
    .Server()
    .Destroy(x => x.Action("Delete", "ControllerName", routeValues))
    .Model(model => {model.Id(r => r.Id);}))

     

    The delete button posts and adds the request verification token to the route value as expected, but I get the following error: The required anti-forgery form field "__RequestVerificationToken" is not present.

    After looking at the resulting HTML I now realize that the anti forgery token must be included withing the <form> that surrounds the delete button for it to work properly.  Is there any way to accomplish this?

    Thanks!

  17. Brad
    Brad avatar
    3 posts
    Member since:
    Jul 2014

    Posted 27 May in reply to Daniel Link to this post

    I had an epiphany of sorts right after making my previous post that I thought I should share.  I discovered a way to add an antiforgerytoken to each form within the grid row.  Here's the column code:

    columns.Command(command => {
    command.Destroy().Text(Html.AntiForgeryToken().ToHtmlString() + "Delete");})

    This is not a pretty solution, but it does the trick.  Also, if you don't want lots of different AntiForgeryTokens running around in your grid here's another method:

    @{ string antiForgeryTokenText = Html.AntiForgeryToken().ToHtmlString();}
     
    // Inside your grid column
    columns.Command(command => {
         command.Destroy().Text(antiForgeryTokenText + "Delete");
    })

    This eliminates repeated calls to Html.AntiForgeryToken helper, which I like.

    It would be nice if there were another more specialized method besides Text() to do this, perhaps something like this: .FormHiddenValues(new {AdditionalFormValue="some value"}). 

    I would still like to see some method of automatically adding the antiforgerytoken in the future for both server and ajax bound grids.

    Thanks!

Back to Top
Kendo UI is VS 2017 Ready