Feature Request: IBffApiSkipAntiforgery with Skip method

[Erwinvandervalk]

This issue is moved from the support repo to the products repo

Original issue:
DuendeSoftware/Support#1561

Which version of Duende BFF are you using?
2.3

Which version of .NET are you using?
8.0

Hello, I don't know if this is actually the process of feature request but here goes.

I think it would be beneficial if the interface IBffApiSkipAntiforgery had a Skip method that would return true by default, and would also allow us to implement it and have more fine-grained control over skipping or not skipping inside the same route.

For example, in my case, I wanted to support WebSockets in a normal proxy route, but I have to skip anti forgery in case it's a websocket request or not.. And currently for that I need add Middleware before the BffMiddleware and append manually the BffApiSkipAntiforgery attribute to the endpoint metadata, which is extremely cumbersome. Eg:

public class PreBffMiddleware : IMiddleware
{
    public async Task InvokeAsync(HttpContext context, RequestDelegate next)
    {
        if (context.WebSockets.IsWebSocketRequest)
        {
            var endpoint = context.GetEndpoint();
            if (endpoint is RouteEndpoint routeEndpoint)
            {
                var metadata = new List<object>(routeEndpoint.Metadata);

                if (!metadata.Exists(m => m is BffApiSkipAntiforgeryAttribute))
                {
                    metadata.Add(new BffApiSkipAntiforgeryAttribute());
                    var newEndpoint = new RouteEndpoint(
                        routeEndpoint.RequestDelegate,
                        routeEndpoint.RoutePattern,
                        routeEndpoint.Order,
                        new EndpointMetadataCollection(metadata),
                        routeEndpoint.DisplayName);
                    context.SetEndpoint(newEndpoint);
                }
            }
        }

        await next.Invoke(context);
    }
}

With my suggestion, it would look like this.

public interface IBffApiSkipAntiforgery {
  public bool Skip(HttpContext context) => true;
}
// BffMiddleware snippet
var isBffEndpoint = endpoint.Metadata.GetMetadata<IBffApiEndpoint>() != null;
if (isBffEndpoint)
{
    var requireAntiForgeryCheck = endpoint.Metadata.OfType<IBffApiSkipAntiforgery>().FirstOrDefault();
    if (requireAntiForgeryCheck == null || !requireAntiForgeryCheck.Skip(context))
    {
        if (!context.CheckAntiForgeryHeader(_options))
        {
            _logger.AntiForgeryValidationFailed(context.Request.Path);

            context.Response.StatusCode = 401;
            return;
        }
    }
}

Using this we could create our own attributes, and use them instead, like this one

[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
public class WebSocketSkipAntiForgery : Attribute, IBffApiSkipAntiforgery
{
    public bool Skip(HttpContext context){
      if (request == null) return false;

      if (request.WebSockets.IsWebSocketRequest) {
        return true;
      }

      return false;
    };
}

Thanks for the attention

[Erwinvandervalk]

Better support for websockets with the BFF is something we have on the roadmap but is not currently planned for any specific milestones. There are a number of caveats to take into account. For one, you should ensure your endpoints are not vulnerable to csrf attacks by verifying the origin.
After that, you need to configure yarp in a specific way. Lastly, the websocket connection can live longer than the validity of the access token so you'd need to compensate for that as well.

Similar to: DuendeSoftware/Support#972

[greg-signi]

Just fyi I think this might have more applications beyond WebSockets, it was a general improvement to the way BffMiddleware verifies the Anti Forgery header or not.
Also I wouldn't mind making the Pull Request if you guys agree but are overall are too busy.