Skip to content

Antiforgery validation failure returns 400 Bad Request for Controllers and 500 Internal Server Error for minimal APIs #58441

New issue
New issue
Open
Open
Antiforgery validation failure returns 400 Bad Request for Controllers and 500 Internal Server Error for minimal APIs#58441
Labels
area-minimalIncludes minimal APIs, endpoint filters, parameter binding, request delegate generator etc
Milestone
Backlog
@AnthonyMastrean

Description

@AnthonyMastrean
AnthonyMastrean
opened on Oct 15, 2024

Is there an existing issue for this?

  • I have searched the existing issues

Describe the bug

There's a difference in antiforgery prevention response between classic MVC and API controllers and minimal APIs.

  • Controller: 400 Bad Request
  • Minimal API: 500 Internal Server Error

Expected Behavior

I expect the antiforgery validation failure response to be consistent between backend implementations so that I can write a frontend that is ignorant of the technology used in the backend.

Steps To Reproduce

Controller

[ApiController]
[Route("example-1")]
public class AntiforgeryExampleController : ControllerBase
{
    [HttpPost]
    [RequireAntiforgeryToken]
    public IActionResult Post(IFormFile file)
    {
        return Ok();
    }
}
{
  "type": "https://tools.ietf.org/html/rfc9110#section-15.5.1",
  "title": "Bad Request",
  "status": 400
}

Minimal API

app.MapPost("example-2", (IFormFile file) => Results.Ok());
{
  "type": "https://tools.ietf.org/html/rfc9110#section-15.6.1",
  "title": "An error occurred while processing your request.",
  "status": 500
}

Exceptions (if any)

No response

.NET Version

8.0.403

Anything else?

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    area-minimalIncludes minimal APIs, endpoint filters, parameter binding, request delegate generator etc

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions