1

Trying to implement a magic link login on an Asp.net core 2.1 Web app. Works like a charm locally, however when deploying to Azure I get an error message: `The request contained a double escape sequence and request filtering is configured on the Web server to deny double escape sequences

MagicLinkSender.cs

var token = await _userManager.GenerateUserTokenAsync(
    user: user,  
    tokenProvider: "MagicLinkTokenProvider", 
    purpose: "magic-link"
);

var magiclink = _urlHelper.Link(
            routeName: "MagicLinkRoute", 
            values: new { userid = user.Id, token = token,  });

AccountController

[HttpGet("/magic/{userid}/{token}", Name = "MagicLinkRoute")]
public async Task<IActionResult> MagicLogin([FromRoute]string userid, [FromRoute]string token )
{
    // Sign the user out if they're signed in
    if(_signInManager.IsSignedIn(User))
    {
        await _signInManager.SignOutAsync();
    }

    var user = await _signInManager.UserManager.FindByIdAsync(userid);
    if(user != null)
    {
        token = token.Replace("%2F", "/");
        var isValid = await _signInManager.UserManager.VerifyUserTokenAsync(
            user: user,
            tokenProvider: "MagicLinkTokenProvider",
            purpose: "magic-link",
            token: token
        );
        if(isValid)
        {
            await _signInManager.UserManager.UpdateSecurityStampAsync(user);
            await _signInManager.SignInAsync(user, isPersistent: true);
        }
    }

    return RedirectToPage("/Profile/Index");
}

Seems like I can get around this with allowing doublescaping in web.config:

<system.webServer>
    <security>
        <requestFiltering allowDoubleEscaping="true" />
    </security>
</system.webServer>

However this seems to open some security holes. Are there better alternatives to get this working on Azure?

Ole Kristian Losvik
  • 1,133
  • 3
  • 20
  • 32

2 Answers2

0

Some characters require additional configuration depending on your hosting environment:

To allow '+' in item names in ASP.NET 2.0 and 4.0 set the configuration\in your web.config file. 

<system.webServer>
    <security>
        <requestFiltering allowDoubleEscaping="true" />
    </security>
</system.webServer>

To allow '&' and '%' in ASP.NET 4.0 set the configurationin your web.config file. 

<system.web>
    <httpRuntime  requestPathInvalidCharacters=""/>
</system.web>

To allow trailing dots ('.') in ASP.NET 4.0 set configuration in your web.config file.

<system.web>
    <httpRuntime relaxedUrlToFileSystemMapping="true"/>
</system.web>

For more details, you could refer to this article and this one.

Joey Cai
  • 18,968
  • 1
  • 20
  • 30
0

Changing to use parameters from querystring instead of route seems to solve this problem when deploying to Azure. 

[HttpGet("/magic", Name = "MagicLinkRoute")]
public async Task<IActionResult> MagicLogin([FromQuery]string userid, [FromQuery]string token )
{
    // ...
Ole Kristian Losvik
  • 1,133
  • 3
  • 20
  • 32