Skip to content

doc(Log): add filter for Antiforgery #7830

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ArgoZhang merged 2 commits into from
Apr 2, 2026
Merged

doc(Log): add filter for Antiforgery #7830

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
6e3921a
revert: 撤销 AddDataProtection 持久化配置
ArgoZhang Apr 2, 2026
e1a85f6
doc: 增加过滤减少日志
ArgoZhang Apr 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 7 additions & 3 deletions src/BootstrapBlazor.Server/Extensions/ServiceCollectionExtensions.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
// Licensed to the .NET Foundation under one or more agreements.
// Licensed to the .NET Foundation under one or more agreements.
// The .NET Foundation licenses this file to you under the Apache 2.0 License
// See the LICENSE file in the project root for more information.
// Maintainer: Argo Zhang(argo@live.ca) Website: https://www.blazor.zone
Expand All @@ -18,8 +18,12 @@ public static IServiceCollection AddBootstrapBlazorServerService(this IServiceCo
// 增加中文编码支持网页源码显示汉字
services.AddSingleton(HtmlEncoder.Create(UnicodeRanges.All));

// 增加错误日志
services.AddLogging(logging => logging.AddFileLogger());
// 增加错误日志,并过滤已知的防伪 Token 解密噪音日志
services.AddLogging(logging =>
{
logging.AddFileLogger();
logging.AddFilter("Microsoft.AspNetCore.Antiforgery", LogLevel.None);
Comment on lines +22 to +25
Copy link
Copy Markdown
Contributor

@sourcery-ai sourcery-ai bot Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

issue (bug_risk): Consider narrowing the antiforgery logging filter instead of disabling the category entirely.

Setting Microsoft.AspNetCore.Antiforgery to LogLevel.None suppresses all current and future antiforgery warnings/errors, which may hinder diagnosing production issues. Prefer raising the level (e.g., to Warning/Error) or filtering only the specific noisy event IDs/messages so critical antiforgery failures remain visible in logs.

Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AddFilter("Microsoft.AspNetCore.Antiforgery", LogLevel.None) suppresses all antiforgery logs. That can hide potentially important warnings (e.g., repeated invalid token submissions) in addition to the known decryption noise. Consider filtering to a higher minimum level (e.g., LogLevel.Error) or filtering only the specific event/message you want to suppress, so security-relevant antiforgery signals are still available.

Suggested change
logging.AddFilter("Microsoft.AspNetCore.Antiforgery", LogLevel.None);
logging.AddFilter("Microsoft.AspNetCore.Antiforgery", LogLevel.Error);

Copilot uses AI. Check for mistakes.
});

// 增加多语言支持配置信息
services.AddRequestLocalization<IOptions<BootstrapBlazorOptions>>((localizerOption, blazorOption) =>
Expand Down
5 changes: 1 addition & 4 deletions src/BootstrapBlazor.Server/Extensions/ServiceCollectionSharedExtensions.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@
// Maintainer: Argo Zhang(argo@live.ca) Website: https://www.blazor.zone

using Microsoft.AspNetCore.Components.Authorization;
using Microsoft.AspNetCore.DataProtection;

namespace Microsoft.Extensions.DependencyInjection;

Expand Down Expand Up @@ -99,9 +98,7 @@ public static IServiceCollection AddBootstrapBlazorServices(this IServiceCollect
services.AddBootstrapBlazorRegionService();

// 增加密钥存储配置
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The comment says "增加密钥存储配置" (add key storage configuration), but the code now only calls AddDataProtection() without configuring key persistence/application name. Either update the comment to reflect the new behavior or keep an explicit key storage configuration so the comment and behavior stay aligned.

Suggested change
// 增加密钥存储配置
// 增加数据保护服务

Copilot uses AI. Check for mistakes.
services.AddDataProtection()
.SetApplicationName("BootstrapBlazor")
.PersistKeysToFileSystem(new DirectoryInfo(Path.Combine(AppContext.BaseDirectory, "keys")));
services.AddDataProtection();
Copy link
Copy Markdown
Contributor

@sourcery-ai sourcery-ai bot Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

issue (bug_risk): Reconsider removing explicit DataProtection app name and key persistence configuration.

Removing .SetApplicationName("BootstrapBlazor") and .PersistKeysToFileSystem(...) means DataProtection will use host defaults for app isolation and key storage. This can result in ephemeral keys (invalidating auth/antiforgery cookies on restart) or unintended key sharing between apps, especially in scaled or long‑running deployments. If this configuration isn’t being set elsewhere, it’s safer to keep an explicit application name and persistent key store.

Comment on lines 99 to +101
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

services.AddDataProtection() used to set SetApplicationName("BootstrapBlazor") and persist the key ring to a known path. This PR removes that configuration entirely, which can change where keys are stored and how antiforgery/data-protection payloads are decrypted across restarts/instances. If the intent is only to reduce Antiforgery log noise (per PR title/issue), consider reverting this change or explicitly documenting/configuring the new key storage strategy (e.g., still set an application name and persist keys to a stable, writable location).

Copilot uses AI. Check for mistakes.

// 增加 PetaPoco ORM 数据服务操作类
// 需要时打开下面代码
Expand Down
Loading