I am using .NET 9.0, my statically rendered login page hits a "A valid antiforgery token was not provided with the request. Add an antiforgery token, or disable antiforgery validation for this endpoint" error when it's submitted.
I'm using Entity Framework/Identity in a very standard way. I've made login pages like this countless times before with server-only blazor apps and there was no issue.However the app I'm building now uses InteractiveAuto so I can have some islands of interactivity without maintaining websocket connections that bog down my server. What I'm quickly discovering is that even having a .Client project in my solution leads to EditForm behaving in a very boneheaded way.
Copilot and Gemini both suggest switching to a regular which I'm very reluctant to do since I'm quite fond of DataAnnotationsValidator. Here is what my Login.razor page looks like:
@using System.ComponentModel.DataAnnotations@using Microsoft.AspNetCore.Identity@inject NavigationManager navman@inject SignInManager<AlterFormUser> signin_manager@inject UserManager<AlterFormUser> user_manager@page "/login"<PageTitle>Login</PageTitle><h3>Login</h3><RadzenCard Style="width: 373px"><EditForm Enhance="false" Model="form" FormName="whatever" OnValidSubmit="AttemptLogin"><DataAnnotationsValidator /><label>Username</label><InputText @bind-Value="form.user_name" class="textbox-standard"></InputText><br /><label>Password</label><InputText @bind-Value="form.password" type="password" class="textbox-standard" style="margin-inline: 9px"></InputText><br /><br /><label>Remember Me</label><div style="display: flex; flex-direction: row; justify-content: space-between; width"><InputCheckbox @bind-Value="form.remember_me"></InputCheckbox><RadzenButton ButtonType="ButtonType.Submit" Text="Login" Style="vertical-align: top; justify-self: flex-end"></RadzenButton></div><ValidationSummary /></EditForm></RadzenCard>@code { [SupplyParameterFromForm] LoginForm form { get; set; } = new LoginForm(); private async Task AttemptLogin() { var result = await signin_manager.PasswordSignInAsync(form.user_name, form.password, form.remember_me, false); if (result.Succeeded) { navman.NavigateTo("/", forceLoad: true); } else { Console.WriteLine("login failure"); } } [ExcludeFromInteractiveRouting] public class LoginForm { [Required] public string? user_name { get; set; } [Required] public string? password { get; set; } public bool remember_me { get; set; } = false; }}From what I understand, this behavior stems from the fact that doesn't send a proper post request if a wasm component exists at all in my project and apparently, there is no way to force it to which seems like a pretty big design flaw.
UPDATEOriginal problem is fixed.It turned out to be the order that app.UseAntiforgery(); was called in program cs. (which is something that should be auto managed like .csproj)
Now I have another issue. After the form submits and the AttemptLogin function is called, I get this logically incoherent error in my browser console.
info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2]Authorization failed. These requirements were not met:DenyAnonymousAuthorizationRequirement: Requires an authenticated user.
This is a terrible error because what it essentially translates to is "you can't login because you're not logged in"
My take away from this is to never EVER touch blazor WASM again. It turns an otherwise decent web stack into an excruciatingly frustrating waking nightmare because of stuff like this and this is coming from someone who does PostgreSQL migrations for a living.
Tried
- Adding 'Enhance="false"' to EditForm open tag
- Adding '[ExlcludeFromInteractiveRouting]' from model class declaration
- With and without AntiforgeryToken manually declared inside my EditForm
Expected
EditForm to be able to submit a login form on a staticly rendered page correctly.