Merge pull request #114 from twilio-labs/validate-async-form

Make Request Validation async to load the form async

src/Twilio.AspNet.Core.UnitTests/ContextMocks.cs

@@ -1,5 +1,7 @@
 using System;
 using System.Net;
+using System.Threading;
+using System.Threading.Tasks;
 using Microsoft.AspNetCore.Http;
 
 namespace Twilio.AspNet.Core.UnitTests;
@@ -42,7 +44,9 @@ public ContextMocks(string urlOverride, bool isLocal, FormCollection form = null
         if (form != null)
         {
             Request.Setup(x => x.Method).Returns("POST");
-            Request.Setup(x => x.Form).Returns(form);
+            Request.Setup(x => x.Form).Returns(form); 
+            Request.Setup(x => x.ReadFormAsync(new CancellationToken()))
+                .Returns(() => Task.FromResult((IFormCollection)form));
             Request.Setup(x => x.HasFormContentType).Returns(true);
         }
     }

src/Twilio.AspNet.Core/RequestValidationHelper.cs

@@ -1,5 +1,7 @@
-using System.Linq;
+using System.Collections.Generic;
+using System.Linq;
 using System.Net;
+using System.Threading.Tasks;
 using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Options;
@@ -18,23 +20,63 @@ public static class RequestValidationHelper
         /// the ASP.NET MVC ValidateRequestAttribute
         /// </summary>
         /// <param name="context">HttpContext to use for validation</param>
-        internal static bool IsValidRequest(HttpContext context)
+        internal static async Task<bool> IsValidRequestAsync(HttpContext context)
         {
             var options = context.RequestServices
                 .GetRequiredService<IOptionsSnapshot<TwilioRequestValidationOptions>>().Value;
-            
+
             var authToken = options.AuthToken;
             var baseUrlOverride = options.BaseUrlOverride;
             var allowLocal = options.AllowLocal;
-        
+
             var request = context.Request;
-        
+
             string urlOverride = null;
             if (!string.IsNullOrEmpty(baseUrlOverride))
             {
                 urlOverride = $"{baseUrlOverride}{request.Path}{request.QueryString}";
             }
 
+            return await IsValidRequestAsync(context, authToken, urlOverride, allowLocal).ConfigureAwait(false);
+        }
+
+        /// <summary>
+        /// Performs request validation using the current HTTP context passed in manually or from
+        /// the ASP.NET MVC ValidateRequestAttribute
+        /// </summary>
+        /// <param name="context">HttpContext to use for validation</param>
+        /// <param name="authToken">AuthToken for the account used to sign the request</param>
+        /// <param name="allowLocal">
+        /// Skip validation for local requests. 
+        /// ⚠️ Only use this during development, as this will make your application vulnerable to Server-Side Request Forgery.
+        /// </param>
+        public static Task<bool> IsValidRequestAsync(HttpContext context, string authToken, bool allowLocal = false)
+            => IsValidRequestAsync(context, authToken, null, allowLocal);
+
+        /// <summary>
+        /// Performs request validation using the current HTTP context passed in manually or from
+        /// the ASP.NET MVC ValidateRequestAttribute
+        /// </summary>
+        /// <param name="context">HttpContext to use for validation</param>
+        /// <param name="authToken">AuthToken for the account used to sign the request</param>
+        /// <param name="urlOverride">The URL to use for validation, if different from Request.Url (sometimes needed if web site is behind a proxy or load-balancer)</param>
+        /// <param name="allowLocal">
+        /// Skip validation for local requests. 
+        /// ⚠️ Only use this during development, as this will make your application vulnerable to Server-Side Request Forgery.
+        /// </param>
+        public static async Task<bool> IsValidRequestAsync(
+            HttpContext context, 
+            string authToken, 
+            string urlOverride, 
+            bool allowLocal = false
+        )
+        {
+            if (context.Request.HasFormContentType)
+            {
+                // this will load the form async, but then cache is in context.Request.Form which is used later
+                await context.Request.ReadFormAsync(context.RequestAborted).ConfigureAwait(false);
+            }
+
             return IsValidRequest(context, authToken, urlOverride, allowLocal);
         }
 
@@ -83,9 +125,11 @@ public static bool IsValidRequest(
                 ? $"{request.Scheme}://{(request.IsHttps ? request.Host.Host : request.Host.ToUriComponent())}{request.Path}{request.QueryString}"
                 : urlOverride;
 
-            var parameters = request.HasFormContentType
-                ? request.Form.Keys.ToDictionary(k => k, k => request.Form[k].ToString())
-                : null;
+            Dictionary<string, string> parameters = null;
+            if (request.HasFormContentType)
+            {
+                parameters = request.Form.ToDictionary(kv => kv.Key, kv => kv.Value.ToString());
+            }
 
             var validator = new RequestValidator(authToken);
             return validator.Validate(

src/Twilio.AspNet.Core/Twilio.AspNet.Core.csproj

@@ -1,4 +1,4 @@
-<Project Sdk="Microsoft.NET.Sdk">
+<Project Sdk="Microsoft.NET.Sdk">
   <PropertyGroup>
     <TargetFrameworks>netstandard2.0;net5.0;net6.0;net7.0</TargetFrameworks>
     <OutputType>Library</OutputType>
@@ -30,7 +30,7 @@
     <ContinuousIntegrationBuild>true</ContinuousIntegrationBuild>
   </PropertyGroup>
   <ItemGroup>
-    <PackageReference Include="Twilio" Version="6.*" />
+    <PackageReference Include="Twilio" Version="6.2.0" />
     <PackageReference Include="Twilio.AspNet.Common" Version="0.0.0-alpha" />
     <PackageReference Include="Microsoft.SourceLink.GitHub" Version="1.1.1">
       <PrivateAssets>all</PrivateAssets>

src/Twilio.AspNet.Core/ValidateRequestAttribute.cs

@@ -1,4 +1,6 @@
-using System.Net;
+using System;
+using System.Net;
+using System.Threading.Tasks;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.Filters;
 
@@ -7,17 +9,22 @@ namespace Twilio.AspNet.Core
     /// <summary>
     /// Represents an attribute that is used to prevent forgery of a request.
     /// </summary>
-    public class ValidateRequestAttribute : ActionFilterAttribute
+    [AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
+    public class ValidateRequestAttribute : Attribute, IAsyncActionFilter
     {
-        public override void OnActionExecuting(ActionExecutingContext filterContext)
+        public async Task OnActionExecutionAsync(
+            ActionExecutingContext filterContext,
+            ActionExecutionDelegate next
+        )
         {
             var context = filterContext.HttpContext;
-            if (!RequestValidationHelper.IsValidRequest(context))
+            if (await RequestValidationHelper.IsValidRequestAsync(context).ConfigureAwait(false))
             {
-                filterContext.Result = new StatusCodeResult((int)HttpStatusCode.Forbidden);
+                await next();
+                return;
             }
 
-            base.OnActionExecuting(filterContext);
+            filterContext.Result = new StatusCodeResult((int)HttpStatusCode.Forbidden);
         }
     }
 }

src/Twilio.AspNet.Core/ValidateTwilioRequestFilter.cs

@@ -16,12 +16,12 @@ public async ValueTask<object> InvokeAsync(
         EndpointFilterDelegate next
     )
     {
-        if (RequestValidationHelper.IsValidRequest(efiContext.HttpContext))
+        if (await RequestValidationHelper.IsValidRequestAsync(efiContext.HttpContext).ConfigureAwait(false))
         {
             return await next(efiContext);
         }
 
-        return Results.StatusCode((int) HttpStatusCode.Forbidden);
+        return Results.StatusCode((int)HttpStatusCode.Forbidden);
     }
 }
 
@@ -34,7 +34,7 @@ public static class TwilioFilterExtensions
     /// <returns></returns>
     public static RouteHandlerBuilder ValidateTwilioRequest(this RouteHandlerBuilder builder)
         => builder.AddEndpointFilter<ValidateTwilioRequestFilter>();
-    
+
     /// <summary>
     /// Validates that incoming HTTP request originates from Twilio.
     /// </summary>

src/Twilio.AspNet.Core/ValidateTwilioRequestMiddleware.cs

@@ -19,13 +19,13 @@ public ValidateTwilioRequestMiddleware(RequestDelegate next)
 
         public async Task InvokeAsync(HttpContext context)
         {
-            if (!RequestValidationHelper.IsValidRequest(context))
+            if (await RequestValidationHelper.IsValidRequestAsync(context).ConfigureAwait(false))
             {
-                context.Response.StatusCode = (int)HttpStatusCode.Forbidden;
+                await next(context);
                 return;
             }
-
-            await next(context);
+            
+            context.Response.StatusCode = (int)HttpStatusCode.Forbidden;
         }
     }
 

src/Twilio.AspNet.Mvc/Twilio.AspNet.Mvc.csproj

@@ -50,7 +50,7 @@
     <None Include="..\..\README.md" Pack="true" PackagePath="\" />
   </ItemGroup>
   <ItemGroup>
-    <PackageReference Include="Twilio" Version="6.*" />
+    <PackageReference Include="Twilio" Version="6.2.0" />
     <PackageReference Include="Twilio.AspNet.Common" Version="0.0.0-alpha" />
     <PackageReference Include="Microsoft.SourceLink.GitHub" Version="1.1.1">
       <PrivateAssets>all</PrivateAssets>

src/Twilio.AspNet.Mvc/ValidateRequestAttribute.cs

@@ -8,6 +8,7 @@ namespace Twilio.AspNet.Mvc
     /// <summary>
     /// Represents an attribute that is used to prevent forgery of a request.
     /// </summary>
+    [AttributeUsage(AttributeTargets.Class | AttributeTargets.Method | AttributeTargets.Module)]
     public class ValidateRequestAttribute : ActionFilterAttribute
     {
         protected internal string AuthToken { get; set; }