The Wayback Machine - https://web.archive.org/web/20220218130617/https://github.com/dotnet/aspnetcore/issues/40301
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[7.0 preview 1] HTTP DELETE sometimes treated as HTTP POST #40301

Open
1 task done
martincostello opened this issue Feb 18, 2022 · 0 comments
Open
1 task done

[7.0 preview 1] HTTP DELETE sometimes treated as HTTP POST #40301

martincostello opened this issue Feb 18, 2022 · 0 comments

Comments

@martincostello
Copy link
Contributor

@martincostello martincostello commented Feb 18, 2022

Is there an existing issue for this?

  • I have searched the existing issues

Describe the bug

This is a bit of a weird one, and I'm not sure exactly what's at fault, but code that works fine with ASP.NET Core 6 is not working some of the time with ASP.NET Core 7 preview 1.

Testing a sample app of mine with preview 1 is getting test failures in UI tests that attempt to delete items from a Razor Pages UI using some Minimal API endpoints. The upgrade PR illustrating the issue is here: martincostello/dotnet-minimal-api-integration-testing#257.

Some UI tests fail in GitHub Actions on Linux and Windows, but none of the UI tests on macOS do.

Debugging this locally on my Windows 11 laptop, I've been able to fairly reliably repo the issue with Firefox but not with Chrome.

The behaviour is that attempting to delete a second Todo item from the application via the UI fails with an HTTP 400 error, which appears to be coming from anti-forgery.

Turning up logging and looking at the Network tab in Firefox appears to show that the second HTTP DELETE request from the browser is being interpreted by the app as an HTTP POST, which then doesn't match the Minimal API delete endpoint, and then goes through into MVC, where it then hits anti-forgery because there's no request token.

MVC blocking the request due to the missing token makes sense, but the sample app shouldn't be getting that far, as it should be just going to the Minimal API's delete endpoint.

Specific lines from the application logs that are interesting are shown below, with the full logs at the bottom of this issue.

First working request for the HTTP DELETE:

info: Microsoft.AspNetCore.Hosting.Diagnostics[1]
      Request starting HTTP/2 DELETE https://localhost:5001/api/items/dcd544d4-ff5a-4828-ad35-a6420acec150 - -
<snip>
info: Microsoft.AspNetCore.Hosting.Diagnostics[2]
      Request finished HTTP/2 DELETE https://localhost:5001/api/items/dcd544d4-ff5a-4828-ad35-a6420acec150 - - - 204 - - 215.2596ms

Second failing request for the HTTP DELETE:

info: Microsoft.AspNetCore.Hosting.Diagnostics[1]
      Request starting HTTP/2 POST https://localhost:5001/api/items/45ef5916-2b04-4d2a-b060-58fc1105e0c2 - -
trce: Microsoft.AspNetCore.HostFiltering.HostFilteringMiddleware[2]
      All hosts are allowed.
dbug: Microsoft.AspNetCore.Routing.Matching.DfaMatcher[1001]
      1 candidate(s) found for the request path '/api/items/45ef5916-2b04-4d2a-b060-58fc1105e0c2'
dbug: Microsoft.AspNetCore.Routing.EndpointRoutingMiddleware[1]
      Request matched endpoint '405 HTTP Method Not Supported'
<snip>
trce: Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.PageActionInvoker[2]
      Authorization Filter: Before executing OnAuthorizationAsync on filter Microsoft.AspNetCore.Mvc.ViewFeatures.Filters.AutoValidateAntiforgeryTokenAuthorizationFilter.
info: Microsoft.AspNetCore.Mvc.ViewFeatures.Filters.AutoValidateAntiforgeryTokenAuthorizationFilter[1]
      Antiforgery token validation failed. The required antiforgery header value "RequestVerificationToken" is not present.
      Microsoft.AspNetCore.Antiforgery.AntiforgeryValidationException: The required antiforgery header value "RequestVerificationToken" is not present.
         at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgery.ValidateRequestAsync(HttpContext httpContext)
         at Microsoft.AspNetCore.Mvc.ViewFeatures.Filters.ValidateAntiforgeryTokenAuthorizationFilter.OnAuthorizationAsync(AuthorizationFilterContext context)
trce: Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.PageActionInvoker[3]
      Authorization Filter: After executing OnAuthorizationAsync on filter Microsoft.AspNetCore.Mvc.ViewFeatures.Filters.AutoValidateAntiforgeryTokenAuthorizationFilter.
info: Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.PageActionInvoker[3]
      Authorization failed for the request at filter 'Microsoft.AspNetCore.Mvc.ViewFeatures.Filters.AutoValidateAntiforgeryTokenAuthorizationFilter'.
<snip>
info: Microsoft.AspNetCore.Hosting.Diagnostics[2]
      Request finished HTTP/2 POST https://localhost:5001/api/items/45ef5916-2b04-4d2a-b060-58fc1105e0c2 - - - 400 0 - 46.7893ms

Screenshot showing the two HTTP DELETE calls

image

Application logs

delete-fails-logs.txt

Expected Behavior

The HTTP DELETE succeeds.

Steps To Reproduce

Exceptions (if any)

No response

.NET Version

7.0.100-preview.1.22110.4

Anything else?

No response

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant