a0aa4a4819
The previous Admin-006 commit added <AntiforgeryToken /> to the logout form and updated the comment on the endpoint, but did not update LogoutAsync to actually call IAntiforgery.ValidateRequestAsync. Blazor's UseAntiforgery() middleware does not automatically validate minimal-API endpoints, so a tokenless POST still succeeded. This commit injects IAntiforgery into the handler, wraps ValidateRequestAsync in a try/catch, and returns 400 on AntiforgeryValidationException. The endpoint keeps .DisableAntiforgery() to prevent the middleware from also trying to read the body (which would cause a double-read). The regression test is updated to log in first (to get an authenticated session) before asserting 400 on a tokenless logout POST. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
11 KiB
11 KiB