feature(csrf-token): add csrf token cookie

closes TrilonIO#48

> Cookie:_ga=GA1.1.776949977.1456326673;
.AspNetCore.Antiforgery.UXO5fwPO0_I=CfDJ8MWQ4vQ8YoxPiafJLrfvOsudL0CCVXA8
_NntZcOKwN9DJUbwd7rSR3gLIurZ0wmrHfHQUwzpTQdDcHfDQbVP1wl2EXIuI2n--HwpW7L1
YblEK2qa4rU58-kkZ0EB5x9SnFP_wZJOPdSLicT5STl8fOg;
XSRF-TOKEN=CfDJ8MWQ4vQ8YoxPiafJLrfvOss01F393ftQsOZ-XtJIgsaLOgv7_5arDVb_U
P5zTN13u6bkwDvRieoXNGo6vEPgpSVqbpEVXaMRr2UlS_qM4h_LmQ-We6l5IRo1HzAeD5Qa0
KIBEB2TLgBKAYv-Uo2MQWc
> Host:localhost:5000

Author: MarkPieszak

Client/components/navmenu/navmenu.component.css

@@ -12,6 +12,7 @@ li.link-active a:focus {
 
 /* Keep the nav menu independent of scrolling and on top of other items */
 .nav { }
+.nav li { display:inline-block; }
 .nav li a { padding:10px 20px; }
 .nav li a:hover, .nav li a:focus { text-decoration: none; }
 

Client/components/navmenu/navmenu.component.html

@@ -1,4 +1,4 @@
-<ul class="nav navbar-inverse">
+<ul class="nav">
     <li [routerLinkActive]="['link-active']">
         <a [routerLink]="['/home']">
             <i class="fa fa-home" aria-hidden="true"></i> Home

Startup.cs

@@ -1,12 +1,16 @@
 using System;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Hosting;
+using Microsoft.AspNetCore.Antiforgery;
+
 using Microsoft.AspNetCore.SpaServices.Webpack;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
+using Microsoft.AspNetCore.Authentication.Cookies;
 using Microsoft.EntityFrameworkCore;
 using Angular2Spa.Models;
+using Microsoft.AspNetCore.Http;
 
 namespace Angular2Spa
 {
@@ -47,6 +51,8 @@ public void ConfigureServices(IServiceCollection services)
             services.AddMvc();
             services.AddMemoryCache();
 
+            services.AddAntiforgery(options => options.HeaderName = "X-XSRF-TOKEN");
+
             //Adding SignalR Service
             services.AddSignalR(options => {
                 services.AddMemoryCache();
@@ -59,7 +65,7 @@ public void ConfigureServices(IServiceCollection services)
         }
 
         // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
-        public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
+        public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory, IAntiforgery antiforgery)
         {
             loggerFactory.AddConsole(Configuration.GetSection("Logging"));
             loggerFactory.AddDebug();
@@ -86,6 +92,20 @@ public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerF
                 app.UseExceptionHandler("/Home/Error");
             }
 
+            // CSRF / XSRF Token
+            app.Use(async (context, next) =>
+            {
+                if (string.Equals(context.Request.Path.Value, "/", StringComparison.OrdinalIgnoreCase))
+                {
+                    var tokens = antiforgery.GetAndStoreTokens(context);
+
+                    context.Response.Cookies.Append("XSRF-TOKEN", tokens.RequestToken, new CookieOptions() { 
+                        HttpOnly = false
+                    });
+                }
+                await next.Invoke();
+            });
+
             app.UseStaticFiles();
 
             //  ** MVC / WebAPI Routing & default SPA fallback Routing

project.json

@@ -14,11 +14,14 @@
     "Gray.Microsoft.AspNetCore.SignalR.Server": "0.2.0-alpha1",
     "Microsoft.ApplicationInsights.AspNetCore": "1.0.0",
     "Microsoft.AspNetCore.Diagnostics": "1.1.0",
-    "Microsoft.AspNetCore.Mvc": "1.1.0",
+    "Microsoft.AspNetCore.Mvc": "1.1.1",
     "Microsoft.AspNetCore.Razor.Tools": {
       "type": "build",
       "version": "1.0.0-preview2-final"
     },
+    "Microsoft.AspNetCore.Cors": "1.1.0",
+    "Microsoft.AspNetCore.Antiforgery": "1.1.0",
+    "Microsoft.AspNetCore.Authentication.Cookies": "1.1.0",
     "Microsoft.AspNetCore.Server.IISIntegration": "1.1.0",
     "Microsoft.AspNetCore.Server.Kestrel": "1.1.0",
     "Microsoft.AspNetCore.SpaServices": "1.1.0-*",