add anti forgery middleware and comment out previous secure cookie po…

…licy changes for debugging
nhsconnect · Jan 22, 2025 · 724ebf6 · 724ebf6
1 parent b50a79b
commit 724ebf6
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 6 deletions.
diff --git a/...ect-appointment-checker/Core/Configuration/Infrastructure/ApplicationBuilderExtensions.cs b/...ect-appointment-checker/Core/Configuration/Infrastructure/ApplicationBuilderExtensions.cs
@@ -1,5 +1,7 @@
 using System;
+using Microsoft.AspNetCore.Antiforgery;
 using Microsoft.AspNetCore.Builder;
+using Microsoft.Extensions.DependencyInjection;
 using Microsoft.AspNetCore.Diagnostics.HealthChecks;
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.AspNetCore.Http;
@@ -36,11 +38,25 @@ public static void ConfigureApplicationBuilderServices(this IApplicationBuilder
                     context.Context.Response.Headers[HeaderNames.CacheControl] = $"public, max-age={TimeSpan.FromSeconds(60 * 60 * 24)}";
                 }
             });
-            app.UseSession();
+
             app.UseCookiePolicy();            
             app.UseRouting();
+            app.UseSession();
             app.UseResponseCaching();
 
+            app.Use(async (context, next) =>
+            {
+                var antiForgery = context.RequestServices.GetRequiredService<IAntiforgery>();
+                antiForgery.SetCookieTokenAndHeader(context);
+                await next(context);
+            });
+
+            app.Use(async (context, next) =>
+            {
+                context.Session.SetString("SessionKey", "Session");
+                await next();
+            });
+
             app.Use(async (context, next) =>
             {
                 context.Response.GetTypedHeaders().CacheControl = new CacheControlHeaderValue()

diff --git a/...nect-appointment-checker/Core/Configuration/Infrastructure/ServiceCollectionExtensions.cs b/...nect-appointment-checker/Core/Configuration/Infrastructure/ServiceCollectionExtensions.cs
@@ -26,15 +26,16 @@ public static IServiceCollection ConfigureApplicationServices(this IServiceColle
             s.Cookie.MaxAge = TimeSpan.FromMinutes(15);
             s.Cookie.HttpOnly = true;
             s.Cookie.IsEssential = true;
-            s.Cookie.SecurePolicy = CookieSecurePolicy.Always;
+            // s.Cookie.SecurePolicy = CookieSecurePolicy.Always;
         });
 
         services.Configure<CookiePolicyOptions>(options =>
         {
             options.ConsentCookie.Name = ".GpConnectAppointmentChecker.ConsentCookie";
             options.CheckConsentNeeded = context => true;
-            options.ConsentCookie.SecurePolicy = CookieSecurePolicy.Always;
-            options.MinimumSameSitePolicy = SameSiteMode.Strict;
+            // options.ConsentCookie.SecurePolicy = CookieSecurePolicy.Always;
+            // options.MinimumSameSitePolicy = SameSiteMode.Strict;
+            options.MinimumSameSitePolicy = SameSiteMode.None;
         });
 
         services.Configure<FormOptions>(x => x.ValueCountLimit = 100000);
@@ -113,8 +114,10 @@ public static IServiceCollection ConfigureApplicationServices(this IServiceColle
         { 
             options.SuppressXFrameOptionsHeader = true;
             options.Cookie.HttpOnly = true;
-            options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
-            options.Cookie.SameSite = SameSiteMode.Strict;
+            // options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
+            // options.Cookie.SameSite = SameSiteMode.Strict;
+            options.Cookie.SecurePolicy = CookieSecurePolicy.SameAsRequest;
+            options.Cookie.SameSite = SameSiteMode.Lax;
         });
 
         services