Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Identity Components to Blazor template #50722

Merged
merged 18 commits into from
Sep 22, 2023
Merged

Conversation

halter73
Copy link
Member

@halter73 halter73 commented Sep 15, 2023

Add Identity Components to Blazor template

Description

This adds the option to add Identity Razor Components (*.razor files) when using the Blazor project template. This supports the same feature set as the Identity Razor Pages (*.cshtml files). We've already done an accessibility pass over these newly added components and this PR includes all the fixes for Accessibility too. As with the Identity Razor Pages, this supports local authentication (with the option to configure external login providers) and Identity management using EF Core.

Fixes #48786

Customer Impact

These Identity Razor Components have been a common request for years as noted above, because it allows Blazor developers to use Identity without needing to add Razor Pages infrastructure which would otherwise be unnecessary and doesn't integrate well with the rest of the app. For example, the Identity Razor Pages to a Blazor app would use a different layout that doesn't match the look and feel of the Razor Components that make up the rest of the app.

Regression?

  • Yes
  • No

Risk

  • High
  • Medium
  • Low

These are template only changes that only affect the brand new Blazor project template. It should have no impact on the project template output unless you opt-in to the individual auth option (other than a small fix to make the --empty option produce compileable output with all InteractivityPlatform options.)

Verification

  • Manual (required)
  • Automated

We're also adding new validation scenarios for vendors to validate periodically.

Packaging changes reviewed?

  • Yes
  • No
  • N/A

  • Finish user management components for 2fa, external login, personal data, etc...
  • Add signout link
  • Verify RegisterOnPersisting gets invoked as expected with the changes from Persist Prerendered State #50625
  • Render ShowRecoveryCodes.razor inline rather than via a redirect.
  • Add baseline tests
  • Fix BOMs
  • Validate the template in VS

@MackinnonBuck @SteveSandersonMS @javiercn @surayya-MS

@ghost ghost added the area-mvc Includes: MVC, Actions and Controllers, Localization, CORS, most templates label Sep 15, 2023
Comment on lines 22 to 32
<EditForm Model="Input" FormName="forgot-password" OnValidSubmit="OnValidSubmitAsync" method="post">
<DataAnnotationsValidator />
<ValidationSummary class="text-danger" role="alert" />

<div class="form-floating mb-3">
<InputText id="email" @bind-Value="Input.Email" class="form-control" autocomplete="username" aria-required="true" placeholder="name@example.com" />
<label for="email" class="form-label">Email</label>
<ValidationMessage For="() => Input.Email" class="text-danger" />
</div>
<button type="submit" class="w-100 btn btn-lg btn-primary">Reset password</button>
</EditForm>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@SteveSandersonMS do we want some Enhanced magic here?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Longer term maybe. For now I'd go with whatever's been tested.

@MackinnonBuck
Copy link
Member

Note to reviewers: There are a lot of changes sitting in halter73/BlazorWebIdentity#2 that will eventually get merged into this PR.

Copy link
Member

@surayya-MS surayya-MS left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I only found 2 accessibility problems

@halter73 halter73 changed the base branch from release/8.0 to release/8.0-rc2 September 20, 2023 21:45
@halter73 halter73 marked this pull request as ready for review September 20, 2023 21:46
@halter73 halter73 requested a review from a team as a code owner September 20, 2023 21:46
@halter73 halter73 added the Servicing-consider Shiproom approval is required for the issue label Sep 20, 2023
{
<h4>Add another service to log in.</h4>
<hr />
<form id="link-login-form" class="form-horizontal" action="/Account/Manage/LinkExternalLogin" method="post">
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
<form id="link-login-form" class="form-horizontal" action="/Account/Manage/LinkExternalLogin" method="post">
<form id="link-login-form" class="form-horizontal" action="Account/Manage/LinkExternalLogin" method="post">

@foreach (var provider in _otherLogins)
{
<button
id="link-login-button-@provider.Name"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Must you have the id?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here and everywhere else

<button class="btn btn-primary" type="submit">Download</button>
</form>
<p>
<a id="delete" href="/Account/Manage/DeletePersonalData" class="btn btn-danger">Delete</a>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
<a id="delete" href="/Account/Manage/DeletePersonalData" class="btn btn-danger">Delete</a>
<a id="delete" href="Account/Manage/DeletePersonalData" class="btn btn-danger">Delete</a>

<p>
<strong>Deleting this data will permanently remove your account, and this cannot be recovered.</strong>
</p>
<form id="download-data" action="/Account/Manage/DownloadPersonalData" method="post">
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
<form id="download-data" action="/Account/Manage/DownloadPersonalData" method="post">
<form id="download-data" action="Account/Manage/DownloadPersonalData" method="post">

@code {
protected override async Task OnInitializedAsync()
{
_ = await UserAccessor.GetRequiredUserAsync();
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why discard this task?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's discarding the result, but still awaiting the task.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh yeah. Strange but yes I see.

/// <summary>
/// This API supports the ASP.NET Core Identity default UI infrastructure and is not intended to be used
/// directly from your code. This API may change or be removed in future releases.
/// </summary>
Copy link
Member

@SteveSandersonMS SteveSandersonMS Sep 22, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't get how people are supposed to interpret this remark. How can they not use it "directly from their code"? This is literally in their code already.

Can it be phrased in a more realistic way? For example, "Do not rename or remove this parameter because it is relied on by [some external thing]"?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we could probably make all these private anyway and not have to worry about customers seeing this in intellisense?

var code = await UserManager.GenerateEmailConfirmationTokenAsync(user);
code = WebEncoders.Base64UrlEncode(Encoding.UTF8.GetBytes(code));
var callbackUrl = NavigationManager.GetUriWithQueryParameters(
NavigationManager.ToAbsoluteUri("/Account/ConfirmEmail").AbsoluteUri,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
NavigationManager.ToAbsoluteUri("/Account/ConfirmEmail").AbsoluteUri,
NavigationManager.ToAbsoluteUri("Account/ConfirmEmail").AbsoluteUri,

or at least I would expect so

var user = await UserManager.FindByEmailAsync(Email);
if (user == null)
{
// Need a way to trigger a 404 from Blazor: https://github.com/dotnet/aspnetcore/issues/45654
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// Need a way to trigger a 404 from Blazor: https://github.com/dotnet/aspnetcore/issues/45654

If you can set the status code on HttpContext then that would be good to do. But even if not, we shouldn't have a comment like this in the template.


<h1>Reset password confirmation</h1>
<p>
Your password has been reset. Please <a href="/Account/Login">click here to log in</a>.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Your password has been reset. Please <a href="/Account/Login">click here to log in</a>.
Your password has been reset. Please <a href="Account/Login">click here to log in</a>.

// [3] NavigateTo() does not throw an exception, meaning we're not rendering from an endpoint, so we throw
// an InvalidOperationException to indicate that we can't redirect.
navigationManager.NavigateTo(uri);
throw new InvalidOperationException($"Can only redirect when rendering from an endpoint.");
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do you need to do this? If you're trying to account for interactive rendering too, would it meet your needs to change line 33 to use NavigateTo(uri, force: true)?

};

[DoesNotReturn]
public void RedirectTo(string uri)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's a lot of code that passes in root-relative URLs (e.g., /Account/Blah). Can you confirm those will be handled correctly even if there's a nonempty pathbase? I'm not certain that's accounted for in the logic here, but may be wrong!


var redirectUrl = UriHelper.BuildRelative(
context.Request.PathBase,
$"/Account/ExternalLogin",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
$"/Account/ExternalLogin",
"/Account/ExternalLogin",


namespace BlazorWeb_CSharp.Identity;

public class IdentityRevalidatingAuthenticationStateProvider : RevalidatingServerAuthenticationStateProvider
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would be good to add a comment block above this class to indicate the basic ideas about what it does.


namespace BlazorWeb_CSharp.Identity;

public class PersistingRevalidatingAuthenticationStateProvider : RevalidatingServerAuthenticationStateProvider
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would be good to add a comment block above this class to indicate the basic ideas about what it does.

@SteveSandersonMS
Copy link
Member

Wow, security is hard! Can we just document that users have to not be evil?

Copy link
Member

@SteveSandersonMS SteveSandersonMS left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are a lot of review comments, some of which do need to be addressed for correctness (e.g., all the root-relative URLs). In a lot of cases I stopped posting repeated comments of the same point, so if you see a general pattern of comments, please assume it applies to the entire PR and not only the specific lines I posted about.

I'm approving now on the basis that you'll make good choices about which of the feedback to address, and I won't be around later today to check.

However, could you try to get a ack from @javiercn before merging too? I know he's spent some time looking at this and may have been thinking more deeply about the actual security content. My focus has been on how understandable/idiomatic the content is.

@mkArtakMSFT
Copy link
Member

Merging this as is. We've identified a limitation here that we will be researching some more and will document it as a known issue in RC2 and will then address in the GA milestone.

@mkArtakMSFT mkArtakMSFT merged commit 2fce01d into release/8.0-rc2 Sep 22, 2023
26 checks passed
@mkArtakMSFT mkArtakMSFT deleted the halter73/48786 branch September 22, 2023 18:50
@ghost ghost added this to the 8.0-rc2 milestone Sep 22, 2023
@iphdav
Copy link

iphdav commented Sep 25, 2023

@SteveSandersonMS @MackinnonBuck
Just read your review, and because these components will be dropped into projects as source, just wanted to note Microsoft's guidance for components and the required keyword is:

  • Don't use the required modifier ... on component parameter properties. Components are usually instantiated and assigned parameter values using reflection...

I agree it looks better than having = default! everywhere. Not sure if the guidance should change, but thought it worth noting.

@ghost
Copy link

ghost commented Sep 25, 2023

Hi @iphdav. It looks like you just commented on a closed PR. The team will most probably miss it. If you'd like to bring something important up to their attention, consider filing a new issue and add enough details to build context.

javiercn added a commit that referenced this pull request Sep 28, 2023
* [release/8.0-rc2] [Blazor] Make auto components prefer the existing render mode (#50851)

# Make auto components prefer the existing render mode

Ensures that if interactive components exist on the page and they all use a single render mode, components with the "Auto" render mode will also use that render mode.

## Description

It's a common requirement for state to be shared between interactive root components. For example, the `<HeadOutlet>` component, which allows updating content in the HTML `<head>`, renders content specified by a `<HeadContent>` component, if it exists. However, this only works if the `<HeadOutlet>` and `<HeadContent>` components use the same interactive render mode.

The Auto render mode lets Blazor select a "best" render mode (either Server or WebAssembly) at runtime, primarily depending on whether Blazor WebAssembly resources are cached in the browser. However, previously it did this without taking into consideration the render mode used by existing components on the page.

For example, suppose a `<HeadOutlet>` with an Auto render mode gets added to the page before WebAssembly resources have been loaded and cached, so it uses Blazor Server. Later, a `<HeadContent>` component, also with an Auto render mode, gets added to the page. But at this point, WebAssembly resources have loaded completely, so the `<HeadContent>` component uses Blazor WebAssembly. In this example, the content in the `<head>` does not update, because the `<HeadOutlet>` and `<HeadContent>` use different render modes.

This PR updates the auto render mode decision making logic to the following:
* If WebAssembly components exist on the page, use WebAssembly
* Otherwise, if Server components exist on the page, use Server
* Otherwise, if WebAssembly resources are cached, use WebAssembly
* Otherwise, use Server

Fixes #50686

## Customer Impact

Medium/high. We've seen multiple reports of the existing behavior causing problems in customer apps, and there isn't a workaround.

## Regression?

- [ ] Yes
- [X] No

This behavior has existed since the Auto render mode was introduced in an earlier .NET 8 preview release.

## Risk

- [ ] High
- [ ] Medium
- [X] Low

This PR is a small change to the Auto mode logic. It's unlikely that customers were already relying on the existing behavior.

## Verification

- [X] Manual (required)
- [X] Automated

## Packaging changes reviewed?

- [ ] Yes
- [ ] No
- [X] N/A

* Add Identity Components to Blazor template (#50722)

# Add Identity Components to Blazor template

## Description

This adds the option to add Identity Razor Components (`*.razor` files) when using the Blazor project template. This supports the same feature set as the Identity Razor Pages (`*.cshtml` files). We've already done an accessibility pass over these newly added components and this PR includes all the fixes for Accessibility too. As with the Identity Razor Pages, this supports local authentication (with the option to configure external login providers) and Identity management using EF Core.

Fixes #48786

## Customer Impact

These Identity Razor Components have been a common request for years as noted above, because it allows Blazor developers to use Identity without needing to add Razor Pages infrastructure which would otherwise be unnecessary and doesn't integrate well with the rest of the app. For example, the Identity Razor Pages to a Blazor app would use a different layout that doesn't match the look and feel of the Razor Components that make up the rest of the app.

## Regression?

- [ ] Yes
- [x] No

## Risk

- [ ] High
- [ ] Medium
- [x] Low

These are template only changes that only affect the brand new Blazor project template. It should have no impact on the project template output unless you opt-in to the individual auth option (other than a [small fix](5462e42) to make the `--empty` option produce compileable output with all `InteractivityPlatform` options.)

## Verification

- [x] Manual (required)
- [x] Automated

We're also adding new validation scenarios for vendors to validate periodically.

## Packaging changes reviewed?

- [ ] Yes
- [ ] No
- [x] N/A

----

- [x] Finish user management components for 2fa, external login, personal data, etc...
- [x] Add signout link
- [x] Verify RegisterOnPersisting gets invoked as expected with the changes from #50625
- [x] Render ShowRecoveryCodes.razor inline rather than via a redirect.
- [x] Add baseline tests
- [x] Fix BOMs
- [x] Validate the template in VS

* Add logging to Http.Sys tests (#50883)

* Skip failing tests (#50917)

* Avoid re-running routing for implicit middlewares and remove implicit anti-forgery (#50864)

## Description

Avoid running routing eagerly in implicit middlewares to prevents the `EndpointFeature` from being set and causing unexpected reactions in other middlewares, like the static file middleware.

We also remove the implicit registration of the anti-forgery middleware to avoid unintended collisions with authentication in Blazor.

Fixes #50818, #50815, #50844

## Customer Impact

Without this change, the anti-forgery middleware in Blazor apps runs too early and is not able to examine authentication state in the application. Requiring the middleware to be registered explicitly ensures that the correct ordering is applied.

Without this change, users will run into difficult to resolve issues with building applications that include forms with Blazor web apps.

## Regression?

- [X] Yes
- [ ] No

This is a regression that was introduced to middleware routing in .NET 8 Preview 7.

## Risk

- [ ] High
- [X] Medium
- [ ] Low

**Medium risk** because:
- We are reverting a change that was originally applied to resolve #49654. This means that the original bug will impact users, specifically those who are calling `UseRouting` explicitly without calling `UseAuthentication` and `UseAuthorization` if they are not available. There is a workaround that we plan to document this behavior for users.
- Apps deployed in .NET 8 RC 1 will break because we no longer automatically enable the anti-forgery middleware. Users will receive an exception at startup notifying them of the code changes to make in order to get things working correctly.

## Verification

- [X] Manual (required)
- [X] Automated

## Packaging changes reviewed?

- [ ] Yes
- [ ] No
- [X] N/A

* [release/8.0] Update dependencies from dotnet/runtime (#50957)

* Update dependencies from https://github.com/dotnet/runtime build 20230926.15

Microsoft.Bcl.AsyncInterfaces , Microsoft.Bcl.TimeProvider , Microsoft.Extensions.Caching.Abstractions , Microsoft.Extensions.Caching.Memory , Microsoft.Extensions.Configuration , Microsoft.Extensions.Configuration.Abstractions , Microsoft.Extensions.Configuration.Binder , Microsoft.Extensions.Configuration.CommandLine , Microsoft.Extensions.Configuration.EnvironmentVariables , Microsoft.Extensions.Configuration.FileExtensions , Microsoft.Extensions.Configuration.Ini , Microsoft.Extensions.Configuration.Json , Microsoft.Extensions.Configuration.UserSecrets , Microsoft.Extensions.Configuration.Xml , Microsoft.Extensions.DependencyInjection , Microsoft.Extensions.DependencyInjection.Abstractions , Microsoft.Extensions.DependencyModel , Microsoft.Extensions.Diagnostics , Microsoft.Extensions.Diagnostics.Abstractions , Microsoft.Extensions.FileProviders.Abstractions , Microsoft.Extensions.FileProviders.Composite , Microsoft.Extensions.FileProviders.Physical , Microsoft.Extensions.FileSystemGlobbing , Microsoft.Extensions.HostFactoryResolver.Sources , Microsoft.Extensions.Hosting , Microsoft.Extensions.Hosting.Abstractions , Microsoft.Extensions.Http , Microsoft.Extensions.Logging , Microsoft.Extensions.Logging.Abstractions , Microsoft.Extensions.Logging.Configuration , Microsoft.Extensions.Logging.Console , Microsoft.Extensions.Logging.Debug , Microsoft.Extensions.Logging.EventLog , Microsoft.Extensions.Logging.EventSource , Microsoft.Extensions.Logging.TraceSource , Microsoft.Extensions.Options , Microsoft.Extensions.Options.ConfigurationExtensions , Microsoft.Extensions.Options.DataAnnotations , Microsoft.Extensions.Primitives , Microsoft.Internal.Runtime.AspNetCore.Transport , Microsoft.NET.Runtime.MonoAOTCompiler.Task , Microsoft.NET.Runtime.WebAssembly.Sdk , Microsoft.NETCore.App.Ref , Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.browser-wasm , Microsoft.NETCore.App.Runtime.win-x64 , Microsoft.NETCore.BrowserDebugHost.Transport , Microsoft.NETCore.Platforms , System.Collections.Immutable , System.Composition , System.Configuration.ConfigurationManager , System.Diagnostics.DiagnosticSource , System.Diagnostics.EventLog , System.Diagnostics.PerformanceCounter , System.DirectoryServices.Protocols , System.IO.Hashing , System.IO.Pipelines , System.Net.Http.Json , System.Net.Http.WinHttpHandler , System.Reflection.Metadata , System.Resources.Extensions , System.Runtime.Caching , System.Security.Cryptography.Pkcs , System.Security.Cryptography.Xml , System.Security.Permissions , System.ServiceProcess.ServiceController , System.Text.Encodings.Web , System.Text.Json , System.Threading.AccessControl , System.Threading.Channels , System.Threading.RateLimiting , Microsoft.SourceBuild.Intermediate.runtime.linux-x64
 From Version 8.0.0-rtm.23475.7 -> To Version 8.0.0-rtm.23476.15

* Update node version

---------

Co-authored-by: dotnet-maestro[bot] <dotnet-maestro[bot]@users.noreply.github.com>
Co-authored-by: jacalvar <jacalvar@microsoft.com>

* [Blazor] Antiforgery fix (#50946)

# Ensure antiforgery token flows to Blazor WebAssembly

The change makes sure that we persist the Antiforgery token during prerendering so that it is available to WebAssembly components.

## Description

* When using cookie authentication it is necessary to use antiforgery protection to prevent cross-site request forgery attacks.
* Blazor Webassembly interactive components must get access to the request antiforgery token to attach it to any outgoing API call.
* The antiforgery request token was not flowing from the server to the client correctly.
* This change enables calling APIs from web assembly to the server safely.
Fixes #50900

## Customer Impact

.NET 8.0 customers who have created Blazor Web Apps will fail to call APIs from webassembly components, as they won't be able to attach the required antiforgery token.

## Regression?

- [ ] Yes
- [X] No

[If yes, specify the version the behavior has regressed from]

## Risk

- [ ] High
- [ ] Medium
- [X] Low

The fix is simple and we added an E2E test to cover the scenario.

## Verification

- [ ] Manual (required)
- [X] Automated

## Packaging changes reviewed?

- [ ] Yes
- [ ] No
- [X] N/A

----

## When servicing release/2.1

- [ ] Make necessary changes in eng/PatchConfig.props

* Update dependencies from https://github.com/dotnet/runtime build 20230927.9 (#50977)

Microsoft.Bcl.AsyncInterfaces , Microsoft.Bcl.TimeProvider , Microsoft.Extensions.Caching.Abstractions , Microsoft.Extensions.Caching.Memory , Microsoft.Extensions.Configuration , Microsoft.Extensions.Configuration.Abstractions , Microsoft.Extensions.Configuration.Binder , Microsoft.Extensions.Configuration.CommandLine , Microsoft.Extensions.Configuration.EnvironmentVariables , Microsoft.Extensions.Configuration.FileExtensions , Microsoft.Extensions.Configuration.Ini , Microsoft.Extensions.Configuration.Json , Microsoft.Extensions.Configuration.UserSecrets , Microsoft.Extensions.Configuration.Xml , Microsoft.Extensions.DependencyInjection , Microsoft.Extensions.DependencyInjection.Abstractions , Microsoft.Extensions.DependencyModel , Microsoft.Extensions.Diagnostics , Microsoft.Extensions.Diagnostics.Abstractions , Microsoft.Extensions.FileProviders.Abstractions , Microsoft.Extensions.FileProviders.Composite , Microsoft.Extensions.FileProviders.Physical , Microsoft.Extensions.FileSystemGlobbing , Microsoft.Extensions.HostFactoryResolver.Sources , Microsoft.Extensions.Hosting , Microsoft.Extensions.Hosting.Abstractions , Microsoft.Extensions.Http , Microsoft.Extensions.Logging , Microsoft.Extensions.Logging.Abstractions , Microsoft.Extensions.Logging.Configuration , Microsoft.Extensions.Logging.Console , Microsoft.Extensions.Logging.Debug , Microsoft.Extensions.Logging.EventLog , Microsoft.Extensions.Logging.EventSource , Microsoft.Extensions.Logging.TraceSource , Microsoft.Extensions.Options , Microsoft.Extensions.Options.ConfigurationExtensions , Microsoft.Extensions.Options.DataAnnotations , Microsoft.Extensions.Primitives , Microsoft.Internal.Runtime.AspNetCore.Transport , Microsoft.NET.Runtime.MonoAOTCompiler.Task , Microsoft.NET.Runtime.WebAssembly.Sdk , Microsoft.NETCore.App.Ref , Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.browser-wasm , Microsoft.NETCore.App.Runtime.win-x64 , Microsoft.NETCore.BrowserDebugHost.Transport , Microsoft.NETCore.Platforms , System.Collections.Immutable , System.Composition , System.Configuration.ConfigurationManager , System.Diagnostics.DiagnosticSource , System.Diagnostics.EventLog , System.Diagnostics.PerformanceCounter , System.DirectoryServices.Protocols , System.IO.Hashing , System.IO.Pipelines , System.Net.Http.Json , System.Net.Http.WinHttpHandler , System.Reflection.Metadata , System.Resources.Extensions , System.Runtime.Caching , System.Security.Cryptography.Pkcs , System.Security.Cryptography.Xml , System.Security.Permissions , System.ServiceProcess.ServiceController , System.Text.Encodings.Web , System.Text.Json , System.Threading.AccessControl , System.Threading.Channels , System.Threading.RateLimiting , Microsoft.SourceBuild.Intermediate.runtime.linux-x64
 From Version 8.0.0-rtm.23476.15 -> To Version 8.0.0-rtm.23477.9

Co-authored-by: dotnet-maestro[bot] <dotnet-maestro[bot]@users.noreply.github.com>

---------

Co-authored-by: Mackinnon Buck <mackinnon.buck@gmail.com>
Co-authored-by: Stephen Halter <halter73@gmail.com>
Co-authored-by: Brennan <brecon@microsoft.com>
Co-authored-by: William Godbe <wigodbe@microsoft.com>
Co-authored-by: Safia Abdalla <safia@microsoft.com>
Co-authored-by: dotnet-maestro[bot] <42748379+dotnet-maestro[bot]@users.noreply.github.com>
Co-authored-by: dotnet-maestro[bot] <dotnet-maestro[bot]@users.noreply.github.com>
Co-authored-by: jacalvar <jacalvar@microsoft.com>
javiercn added a commit that referenced this pull request Sep 28, 2023
* [release/8.0-rc2] [Blazor] Make auto components prefer the existing render mode (#50851)

# Make auto components prefer the existing render mode

Ensures that if interactive components exist on the page and they all use a single render mode, components with the "Auto" render mode will also use that render mode.

## Description

It's a common requirement for state to be shared between interactive root components. For example, the `<HeadOutlet>` component, which allows updating content in the HTML `<head>`, renders content specified by a `<HeadContent>` component, if it exists. However, this only works if the `<HeadOutlet>` and `<HeadContent>` components use the same interactive render mode.

The Auto render mode lets Blazor select a "best" render mode (either Server or WebAssembly) at runtime, primarily depending on whether Blazor WebAssembly resources are cached in the browser. However, previously it did this without taking into consideration the render mode used by existing components on the page.

For example, suppose a `<HeadOutlet>` with an Auto render mode gets added to the page before WebAssembly resources have been loaded and cached, so it uses Blazor Server. Later, a `<HeadContent>` component, also with an Auto render mode, gets added to the page. But at this point, WebAssembly resources have loaded completely, so the `<HeadContent>` component uses Blazor WebAssembly. In this example, the content in the `<head>` does not update, because the `<HeadOutlet>` and `<HeadContent>` use different render modes.

This PR updates the auto render mode decision making logic to the following:
* If WebAssembly components exist on the page, use WebAssembly
* Otherwise, if Server components exist on the page, use Server
* Otherwise, if WebAssembly resources are cached, use WebAssembly
* Otherwise, use Server

Fixes #50686

## Customer Impact

Medium/high. We've seen multiple reports of the existing behavior causing problems in customer apps, and there isn't a workaround.

## Regression?

- [ ] Yes
- [X] No

This behavior has existed since the Auto render mode was introduced in an earlier .NET 8 preview release.

## Risk

- [ ] High
- [ ] Medium
- [X] Low

This PR is a small change to the Auto mode logic. It's unlikely that customers were already relying on the existing behavior.

## Verification

- [X] Manual (required)
- [X] Automated

## Packaging changes reviewed?

- [ ] Yes
- [ ] No
- [X] N/A

* Add Identity Components to Blazor template (#50722)

# Add Identity Components to Blazor template

## Description

This adds the option to add Identity Razor Components (`*.razor` files) when using the Blazor project template. This supports the same feature set as the Identity Razor Pages (`*.cshtml` files). We've already done an accessibility pass over these newly added components and this PR includes all the fixes for Accessibility too. As with the Identity Razor Pages, this supports local authentication (with the option to configure external login providers) and Identity management using EF Core.

Fixes #48786

## Customer Impact

These Identity Razor Components have been a common request for years as noted above, because it allows Blazor developers to use Identity without needing to add Razor Pages infrastructure which would otherwise be unnecessary and doesn't integrate well with the rest of the app. For example, the Identity Razor Pages to a Blazor app would use a different layout that doesn't match the look and feel of the Razor Components that make up the rest of the app.

## Regression?

- [ ] Yes
- [x] No

## Risk

- [ ] High
- [ ] Medium
- [x] Low

These are template only changes that only affect the brand new Blazor project template. It should have no impact on the project template output unless you opt-in to the individual auth option (other than a [small fix](5462e42) to make the `--empty` option produce compileable output with all `InteractivityPlatform` options.)

## Verification

- [x] Manual (required)
- [x] Automated

We're also adding new validation scenarios for vendors to validate periodically.

## Packaging changes reviewed?

- [ ] Yes
- [ ] No
- [x] N/A

----

- [x] Finish user management components for 2fa, external login, personal data, etc...
- [x] Add signout link
- [x] Verify RegisterOnPersisting gets invoked as expected with the changes from #50625
- [x] Render ShowRecoveryCodes.razor inline rather than via a redirect.
- [x] Add baseline tests
- [x] Fix BOMs
- [x] Validate the template in VS

* Add logging to Http.Sys tests (#50883)

* Skip failing tests (#50917)

* Avoid re-running routing for implicit middlewares and remove implicit anti-forgery (#50864)

## Description

Avoid running routing eagerly in implicit middlewares to prevents the `EndpointFeature` from being set and causing unexpected reactions in other middlewares, like the static file middleware.

We also remove the implicit registration of the anti-forgery middleware to avoid unintended collisions with authentication in Blazor.

Fixes #50818, #50815, #50844

## Customer Impact

Without this change, the anti-forgery middleware in Blazor apps runs too early and is not able to examine authentication state in the application. Requiring the middleware to be registered explicitly ensures that the correct ordering is applied.

Without this change, users will run into difficult to resolve issues with building applications that include forms with Blazor web apps.

## Regression?

- [X] Yes
- [ ] No

This is a regression that was introduced to middleware routing in .NET 8 Preview 7.

## Risk

- [ ] High
- [X] Medium
- [ ] Low

**Medium risk** because:
- We are reverting a change that was originally applied to resolve #49654. This means that the original bug will impact users, specifically those who are calling `UseRouting` explicitly without calling `UseAuthentication` and `UseAuthorization` if they are not available. There is a workaround that we plan to document this behavior for users.
- Apps deployed in .NET 8 RC 1 will break because we no longer automatically enable the anti-forgery middleware. Users will receive an exception at startup notifying them of the code changes to make in order to get things working correctly.

## Verification

- [X] Manual (required)
- [X] Automated

## Packaging changes reviewed?

- [ ] Yes
- [ ] No
- [X] N/A

* [release/8.0] Update dependencies from dotnet/runtime (#50957)

* Update dependencies from https://github.com/dotnet/runtime build 20230926.15

Microsoft.Bcl.AsyncInterfaces , Microsoft.Bcl.TimeProvider , Microsoft.Extensions.Caching.Abstractions , Microsoft.Extensions.Caching.Memory , Microsoft.Extensions.Configuration , Microsoft.Extensions.Configuration.Abstractions , Microsoft.Extensions.Configuration.Binder , Microsoft.Extensions.Configuration.CommandLine , Microsoft.Extensions.Configuration.EnvironmentVariables , Microsoft.Extensions.Configuration.FileExtensions , Microsoft.Extensions.Configuration.Ini , Microsoft.Extensions.Configuration.Json , Microsoft.Extensions.Configuration.UserSecrets , Microsoft.Extensions.Configuration.Xml , Microsoft.Extensions.DependencyInjection , Microsoft.Extensions.DependencyInjection.Abstractions , Microsoft.Extensions.DependencyModel , Microsoft.Extensions.Diagnostics , Microsoft.Extensions.Diagnostics.Abstractions , Microsoft.Extensions.FileProviders.Abstractions , Microsoft.Extensions.FileProviders.Composite , Microsoft.Extensions.FileProviders.Physical , Microsoft.Extensions.FileSystemGlobbing , Microsoft.Extensions.HostFactoryResolver.Sources , Microsoft.Extensions.Hosting , Microsoft.Extensions.Hosting.Abstractions , Microsoft.Extensions.Http , Microsoft.Extensions.Logging , Microsoft.Extensions.Logging.Abstractions , Microsoft.Extensions.Logging.Configuration , Microsoft.Extensions.Logging.Console , Microsoft.Extensions.Logging.Debug , Microsoft.Extensions.Logging.EventLog , Microsoft.Extensions.Logging.EventSource , Microsoft.Extensions.Logging.TraceSource , Microsoft.Extensions.Options , Microsoft.Extensions.Options.ConfigurationExtensions , Microsoft.Extensions.Options.DataAnnotations , Microsoft.Extensions.Primitives , Microsoft.Internal.Runtime.AspNetCore.Transport , Microsoft.NET.Runtime.MonoAOTCompiler.Task , Microsoft.NET.Runtime.WebAssembly.Sdk , Microsoft.NETCore.App.Ref , Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.browser-wasm , Microsoft.NETCore.App.Runtime.win-x64 , Microsoft.NETCore.BrowserDebugHost.Transport , Microsoft.NETCore.Platforms , System.Collections.Immutable , System.Composition , System.Configuration.ConfigurationManager , System.Diagnostics.DiagnosticSource , System.Diagnostics.EventLog , System.Diagnostics.PerformanceCounter , System.DirectoryServices.Protocols , System.IO.Hashing , System.IO.Pipelines , System.Net.Http.Json , System.Net.Http.WinHttpHandler , System.Reflection.Metadata , System.Resources.Extensions , System.Runtime.Caching , System.Security.Cryptography.Pkcs , System.Security.Cryptography.Xml , System.Security.Permissions , System.ServiceProcess.ServiceController , System.Text.Encodings.Web , System.Text.Json , System.Threading.AccessControl , System.Threading.Channels , System.Threading.RateLimiting , Microsoft.SourceBuild.Intermediate.runtime.linux-x64
 From Version 8.0.0-rtm.23475.7 -> To Version 8.0.0-rtm.23476.15

* Update node version

---------

Co-authored-by: dotnet-maestro[bot] <dotnet-maestro[bot]@users.noreply.github.com>
Co-authored-by: jacalvar <jacalvar@microsoft.com>

* [Blazor] Antiforgery fix (#50946)

# Ensure antiforgery token flows to Blazor WebAssembly

The change makes sure that we persist the Antiforgery token during prerendering so that it is available to WebAssembly components.

## Description

* When using cookie authentication it is necessary to use antiforgery protection to prevent cross-site request forgery attacks.
* Blazor Webassembly interactive components must get access to the request antiforgery token to attach it to any outgoing API call.
* The antiforgery request token was not flowing from the server to the client correctly.
* This change enables calling APIs from web assembly to the server safely.
Fixes #50900

## Customer Impact

.NET 8.0 customers who have created Blazor Web Apps will fail to call APIs from webassembly components, as they won't be able to attach the required antiforgery token.

## Regression?

- [ ] Yes
- [X] No

[If yes, specify the version the behavior has regressed from]

## Risk

- [ ] High
- [ ] Medium
- [X] Low

The fix is simple and we added an E2E test to cover the scenario.

## Verification

- [ ] Manual (required)
- [X] Automated

## Packaging changes reviewed?

- [ ] Yes
- [ ] No
- [X] N/A

----

## When servicing release/2.1

- [ ] Make necessary changes in eng/PatchConfig.props

* Update dependencies from https://github.com/dotnet/runtime build 20230927.9 (#50977)

Microsoft.Bcl.AsyncInterfaces , Microsoft.Bcl.TimeProvider , Microsoft.Extensions.Caching.Abstractions , Microsoft.Extensions.Caching.Memory , Microsoft.Extensions.Configuration , Microsoft.Extensions.Configuration.Abstractions , Microsoft.Extensions.Configuration.Binder , Microsoft.Extensions.Configuration.CommandLine , Microsoft.Extensions.Configuration.EnvironmentVariables , Microsoft.Extensions.Configuration.FileExtensions , Microsoft.Extensions.Configuration.Ini , Microsoft.Extensions.Configuration.Json , Microsoft.Extensions.Configuration.UserSecrets , Microsoft.Extensions.Configuration.Xml , Microsoft.Extensions.DependencyInjection , Microsoft.Extensions.DependencyInjection.Abstractions , Microsoft.Extensions.DependencyModel , Microsoft.Extensions.Diagnostics , Microsoft.Extensions.Diagnostics.Abstractions , Microsoft.Extensions.FileProviders.Abstractions , Microsoft.Extensions.FileProviders.Composite , Microsoft.Extensions.FileProviders.Physical , Microsoft.Extensions.FileSystemGlobbing , Microsoft.Extensions.HostFactoryResolver.Sources , Microsoft.Extensions.Hosting , Microsoft.Extensions.Hosting.Abstractions , Microsoft.Extensions.Http , Microsoft.Extensions.Logging , Microsoft.Extensions.Logging.Abstractions , Microsoft.Extensions.Logging.Configuration , Microsoft.Extensions.Logging.Console , Microsoft.Extensions.Logging.Debug , Microsoft.Extensions.Logging.EventLog , Microsoft.Extensions.Logging.EventSource , Microsoft.Extensions.Logging.TraceSource , Microsoft.Extensions.Options , Microsoft.Extensions.Options.ConfigurationExtensions , Microsoft.Extensions.Options.DataAnnotations , Microsoft.Extensions.Primitives , Microsoft.Internal.Runtime.AspNetCore.Transport , Microsoft.NET.Runtime.MonoAOTCompiler.Task , Microsoft.NET.Runtime.WebAssembly.Sdk , Microsoft.NETCore.App.Ref , Microsoft.NETCore.App.Runtime.AOT.win-x64.Cross.browser-wasm , Microsoft.NETCore.App.Runtime.win-x64 , Microsoft.NETCore.BrowserDebugHost.Transport , Microsoft.NETCore.Platforms , System.Collections.Immutable , System.Composition , System.Configuration.ConfigurationManager , System.Diagnostics.DiagnosticSource , System.Diagnostics.EventLog , System.Diagnostics.PerformanceCounter , System.DirectoryServices.Protocols , System.IO.Hashing , System.IO.Pipelines , System.Net.Http.Json , System.Net.Http.WinHttpHandler , System.Reflection.Metadata , System.Resources.Extensions , System.Runtime.Caching , System.Security.Cryptography.Pkcs , System.Security.Cryptography.Xml , System.Security.Permissions , System.ServiceProcess.ServiceController , System.Text.Encodings.Web , System.Text.Json , System.Threading.AccessControl , System.Threading.Channels , System.Threading.RateLimiting , Microsoft.SourceBuild.Intermediate.runtime.linux-x64
 From Version 8.0.0-rtm.23476.15 -> To Version 8.0.0-rtm.23477.9

Co-authored-by: dotnet-maestro[bot] <dotnet-maestro[bot]@users.noreply.github.com>

* [release/8.0] Update dependencies from dotnet/efcore dotnet/extensions (#50671)

[release/8.0] Update dependencies from dotnet/efcore dotnet/extensions


 - Merge branch 'release/8.0' into darc-release/8.0-67c2f3d0-02d1-4633-b986-2922ed8a04d7

 - Update versions

 - Merge branch 'release/8.0' into darc-release/8.0-67c2f3d0-02d1-4633-b986-2922ed8a04d7

 - Merge branch 'release/8.0' into darc-release/8.0-67c2f3d0-02d1-4633-b986-2922ed8a04d7

 - Merge branch 'release/8.0' into darc-release/8.0-67c2f3d0-02d1-4633-b986-2922ed8a04d7

 - Merge branch 'release/8.0' into darc-release/8.0-67c2f3d0-02d1-4633-b986-2922ed8a04d7

 - React to namespace changes

 - More namespace changes

 - Fix up namespaces

---------

Co-authored-by: Mackinnon Buck <mackinnon.buck@gmail.com>
Co-authored-by: Stephen Halter <halter73@gmail.com>
Co-authored-by: Brennan <brecon@microsoft.com>
Co-authored-by: William Godbe <wigodbe@microsoft.com>
Co-authored-by: Safia Abdalla <safia@microsoft.com>
Co-authored-by: dotnet-maestro[bot] <42748379+dotnet-maestro[bot]@users.noreply.github.com>
Co-authored-by: dotnet-maestro[bot] <dotnet-maestro[bot]@users.noreply.github.com>
Co-authored-by: jacalvar <jacalvar@microsoft.com>
mkArtakMSFT pushed a commit that referenced this pull request Oct 11, 2023
## Description

This PR addresses a large amount of feedback from #50722 which was merged before they could all be addressed to unblock Accessibility Testing effort. The primary impacts are:

#### Runtime changes
- Public API change to make `AddComponentRenderMode`'s `renderMode` param nullable to support disabling interactivity on a per-page basis with the help of `@rendermode="null"` (effectively).
  - **IMPORTANT:** This will need follow up in the Razor Compiler. See dotnet/razor#9343
  - API Proposal issue: #51170
  - This is a e necessary to support the changes to add global interactivity to Identity components @SteveSandersonMS made in #50920 and have now been included in this PR.
- [Add antiforgery token to forms rendered interactively on the server](425bd12)
  - This bug fix is necessary to make the logout button work without throwing antiforgery errors when it is rendered interactively on the server.

#### Template changes

- Fix compilation error due to missing `using` in `Program.cs` when the individual auth option is selected with no interactivity.
- Add support for global (`--all-interactive`) instead of just per-page interactivity to the new Identity components.
- Fix "Apply Migrations" link on the `DatabaseErrorPage` by calling `UseMigrationsEndPoint()` when necessary. 
- Add support for non-root base paths to the new Identity components.
- Improve folder layout by putting most of the additional auth and Identity related files in the same /Account folder.
- Use the new `IEmailSender<ApplicationUser>` API instead of `IEmailSender` for easier customization of emails.
- Remove usage of `IHttpContextAccessor` from the template because that is generally regarded as bad practice due to the unnecessary reliance on `AsyncLocal`.
- Remove underscore (`_`) from private field names.
- Reduce usage of `null!` and `default!`.
- Use normal `<button>` for logout link in nav bar rather than `<a onclick="document.getElementById('logout-form').submit();">`, and remove separate `LogoutForm.razor`.

## Customer Impact

This fixes several bugs in the Blazor project template when choosing the individual auth option and makes several runtime fixes that will be beneficial to any global interactive Blazor application that needs to include some components that must always be statically rendered.

## Regression?

- [ ] Yes
- [x] No

## Risk

- [ ] High
- [ ] Medium
- [x] Low

Obviously, we would rather not make such a large change after RC2. Particularly when it's a change that touches public API. Fortunately, the runtime changes are very small, and only to parts of the runtime that were last updated in RC2 (see #50181 and #50946).

The vast majority of the changes in the PR only affect the Blazor project template when the non-default individual auth option is selected. This was merged very late in RC2 (#50722) with the expectation that we would make major changes prior to GA.

## Verification

- [x] Manual (required)
- [x] Automated

## Packaging changes reviewed?

- [ ] Yes
- [ ] No
- [x] N/A
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area-mvc Includes: MVC, Actions and Controllers, Localization, CORS, most templates Servicing-approved Shiproom has approved the issue
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants