antiforgery issue

[jackie3981]

Select Topic Area

Question

Body

ASP .NET 8 API

//Program.cs
...

// Middleware 
app.Use(async (context, next) => {
    
   var existingToken = context.Request.Cookies["XSRF-TOKEN"];
    var antiforgery = context.RequestServices.GetRequiredService<IAntiforgery>();

    if (string.IsNullOrEmpty(existingToken)) {
        MyProjectAPI.Helpers.CsrfHelper.GenerateAndStoreCsrfToken(context, antiforgery);
    }

    await next();
});

....

This line
var antiforgery = context. RequestServices.GetRequiredService();

Each time the middleware is executed, it generates a new antiforgery token. This new token is then used for validation, but it does not match the header token and the cookie token, which are the same. The reason for this mismatch is that the header token and cookie token are previously stored and have specific values.
When the middleware is called, it executes
var antiforgery = context.RequestServices.GetRequiredService<IAntiforgery>();,
generating a new token that differs from the previous ones. If I check whether these tokens are created and then avoid calling
var antiforgery = context.RequestServices.GetRequiredService<IAntiforgery>();,

it won’t resolve the issue. In fact, this would cause other problems within the application because antiforgery must be initialized. While I recognize that this initialization is the root of my problem, I am unsure how to resolve it

I would be grateful for any help.
Thank you in advance.