Fix disabling anti-forgery check on route groups (#51244)

github-actions[bot] · web-flow · commit cbfc558b6dd2 · 2023-10-13T16:45:40.000-07:00
diff --git a/src/Http/Routing/src/Builder/RoutingEndpointConventionBuilderExtensions.cs b/src/Http/Routing/src/Builder/RoutingEndpointConventionBuilderExtensions.cs
@@ -159,7 +159,7 @@ public static TBuilder DisableAntiforgery<TBuilder>(this TBuilder builder) where
     {
         ArgumentNullException.ThrowIfNull(builder);
 
-        builder.WithMetadata(AntiforgeryMetadata.ValidationNotRequired);
+        builder.Finally(builder => builder.Metadata.Add(AntiforgeryMetadata.ValidationNotRequired));
         return builder;
     }
 
diff --git a/src/Http/Routing/test/FunctionalTests/MinimalFormTests.cs b/src/Http/Routing/test/FunctionalTests/MinimalFormTests.cs
@@ -292,6 +292,53 @@ public async Task MapPost_WithForm_WithoutAntiforgery_WithoutMiddleware_Works()
         Assert.Equal(DateTime.Today.AddDays(1), result.DueDate);
     }
 
+    [Fact]
+    public async Task MapPost_WithForm_WithoutAntiforgery_AndRouteGroup_WithoutMiddleware_Works()
+    {
+        using var host = new HostBuilder()
+            .ConfigureWebHost(webHostBuilder =>
+            {
+                webHostBuilder
+                    .Configure(app =>
+                    {
+                        app.UseRouting();
+                        app.UseEndpoints(b =>
+                        {
+                            var group = b.MapGroup("/todo").DisableAntiforgery();
+                            group.MapPost("", ([FromForm] Todo todo) => todo);
+                        });
+                    })
+                    .UseTestServer();
+            })
+            .ConfigureServices(services =>
+            {
+                services.AddRouting();
+                services.AddAntiforgery();
+            })
+            .Build();
+
+        using var server = host.GetTestServer();
+        await host.StartAsync();
+        var client = server.CreateClient();
+
+        var request = new HttpRequestMessage(HttpMethod.Post, "todo");
+        var nameValueCollection = new List<KeyValuePair<string, string>>
+        {
+            new KeyValuePair<string,string>("name", "Test task"),
+            new KeyValuePair<string,string>("isComplete", "false"),
+            new KeyValuePair<string,string>("dueDate", DateTime.Today.AddDays(1).ToString(CultureInfo.InvariantCulture)),
+        };
+        request.Content = new FormUrlEncodedContent(nameValueCollection);
+
+        var response = await client.SendAsync(request);
+        response.EnsureSuccessStatusCode();
+        var body = await response.Content.ReadAsStringAsync();
+        var result = JsonSerializer.Deserialize<Todo>(body, SerializerOptions);
+        Assert.Equal("Test task", result.Name);
+        Assert.False(result.IsCompleted);
+        Assert.Equal(DateTime.Today.AddDays(1), result.DueDate);
+    }
+
     public static IEnumerable<object[]> RequestDelegateData
     {
         get

Original file line number	Diff line number	Diff line change
`@@ -159,7 +159,7 @@ public static TBuilder DisableAntiforgery<TBuilder>(this TBuilder builder) where`
`159`	`159`	`{`
`160`	`160`	`ArgumentNullException.ThrowIfNull(builder);`
`161`	`161`
`162`		`- builder.WithMetadata(AntiforgeryMetadata.ValidationNotRequired);`
	`162`	`+ builder.Finally(builder => builder.Metadata.Add(AntiforgeryMetadata.ValidationNotRequired));`
`163`	`163`	`return builder;`
`164`	`164`	`}`
`165`	`165`