Address more feedback

Author: captainsafia

src/Antiforgery/src/AntiforgeryMiddleware.cs

@@ -28,26 +28,25 @@ public Task Invoke(HttpContext context)
             return _next(context);
         }
 
-        return InvokeAwaited(context, endpoint);
+        if (endpoint?.Metadata.GetMetadata<IAntiforgeryMetadata>() is { RequiresValidation: true })
+        {
+            return InvokeAwaited(context);
+        }
+
+        return _next(context);
     }
 
-    public async Task InvokeAwaited(HttpContext context, Endpoint? endpoint)
+    public async Task InvokeAwaited(HttpContext context)
     {
-        if (endpoint?.Metadata.GetMetadata<IAntiforgeryMetadata>() is { RequiresValidation: true })
+        try
         {
-            try
-            {
-                await _antiforgery.ValidateRequestAsync(context);
-            }
-            catch (AntiforgeryValidationException e)
-            {
-                context.Features.Set<IAntiforgeryValidationFeature>(new AntiforgeryValidationFeature(false, e));
-                await _next(context);
-                return;
-            }
+            await _antiforgery.ValidateRequestAsync(context);
             context.Features.Set(AntiforgeryValidationFeature.Valid);
         }
-
+        catch (AntiforgeryValidationException e)
+        {
+            context.Features.Set<IAntiforgeryValidationFeature>(new AntiforgeryValidationFeature(false, e));
+        }
         await _next(context);
     }
 }

src/Antiforgery/src/Internal/AntiforgeryValidationFeature.cs

@@ -2,7 +2,7 @@
 // The .NET Foundation licenses this file to you under the MIT license.
 namespace Microsoft.AspNetCore.Antiforgery;
 
-internal class AntiforgeryValidationFeature(bool isValid, AntiforgeryValidationException? exception) : IAntiforgeryValidationFeature
+internal sealed class AntiforgeryValidationFeature(bool isValid, AntiforgeryValidationException? exception) : IAntiforgeryValidationFeature
 {
     public static readonly IAntiforgeryValidationFeature Valid = new AntiforgeryValidationFeature(true, null);
 

src/Http/Http.Extensions/src/RequestDelegateFactory.cs

@@ -1429,7 +1429,7 @@ private static Expression AddResponseWritingToMethodCall(Expression methodCall,
 
             if (feature?.CanHaveBody == true)
             {
-                if (httpContext.Features.Get<IAntiforgeryValidationFeature>() is  { IsValid: false } antiforgeryValidationFeature)
+                if (httpContext.Features.Get<IAntiforgeryValidationFeature>() is { IsValid: false } antiforgeryValidationFeature)
                 {
                     Log.InvalidAntiforgeryToken(httpContext, parameterTypeName, parameterName, antiforgeryValidationFeature.Error!, throwOnBadRequest);
                     httpContext.Response.StatusCode = StatusCodes.Status400BadRequest;
@@ -1995,13 +1995,12 @@ private static Expression BindComplexParameterFromFormItem(
         // var name_reader;
         // var form_dict;
         // var form_buffer;
-        // var form_max_key_length;
         var formArgument = Expression.Variable(parameter.ParameterType, $"{parameter.Name}_local");
         var formReader = Expression.Variable(typeof(FormDataReader), $"{parameter.Name}_reader");
         var formDict = Expression.Variable(typeof(IReadOnlyDictionary<FormKey, StringValues>), "form_dict");
         var formBuffer = Expression.Variable(typeof(char[]), "form_buffer");
 
-        // ProcessForm(context.Request.Form, form_dict, form_max_key_length, form_buffer);
+        // ProcessForm(context.Request.Form, form_dict, form_buffer);
         var processFormExpr = Expression.Call(ProcessFormMethod, FormExpr, formDict, formBuffer);
         // name_reader = new FormDataReader(form_dict, CultureInfo.InvariantCulture, form_buffer.AsMemory(0, FormDataMapperOptions.MaxKeyBufferSize));
         var initializeReaderExpr = Expression.Assign(

src/Http/Http.Features/src/IAntiforgeryValidationFeature.cs

@@ -1,6 +1,6 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
-using System.Diagnostics.CodeAnalysis;
+
 namespace Microsoft.AspNetCore.Antiforgery;
 
 /// <summary>
@@ -16,6 +16,5 @@ public interface IAntiforgeryValidationFeature
     /// <summary>
     /// Gets the <see cref="Exception"/> that occurred when validating the anti-forgery token.
     /// </summary>
-    [MemberNotNullWhen(false, nameof(IsValid))]
     Exception? Error { get; }
 }

src/Http/Routing/src/EndpointMiddleware.cs

@@ -51,9 +51,7 @@ public Task Invoke(HttpContext httpContext)
                 }
 
                 if (endpoint.Metadata.GetMetadata<IAntiforgeryMetadata>() is { RequiresValidation: true } &&
-                    !httpContext.Items.ContainsKey(AntiforgeryMiddlewareWithEndpointInvokedKey) &&
-                    httpContext.Request.Method is {} method &&
-                    HttpMethodExtensions.IsValidHttpMethodForForm(method))
+                    !httpContext.Items.ContainsKey(AntiforgeryMiddlewareWithEndpointInvokedKey))
                 {
                     ThrowMissingAntiforgeryMiddlewareException(endpoint);
                 }

src/Http/Routing/src/EndpointRoutingMiddleware.cs

@@ -136,10 +136,6 @@ private Task SetRoutingAndContinue(HttpContext httpContext)
             // We do this during endpoint routing to ensure that successive middlewares in the pipeline
             // can access the feature with the correct value.
             SetMaxRequestBodySize(httpContext);
-            if (httpContext.Features.Get<IHttpMaxRequestBodySizeFeature>() is { } httpMaxRequestBodySizeFeature)
-            {
-                httpContext.Request.Body = new SizeLimitedStream(httpContext.Request.Body, httpMaxRequestBodySizeFeature.MaxRequestBodySize);
-            }
 
             var shortCircuitMetadata = endpoint.Metadata.GetMetadata<ShortCircuitMetadata>();
             if (shortCircuitMetadata is not null)

src/Http/Routing/src/Microsoft.AspNetCore.Routing.csproj

@@ -37,7 +37,6 @@
     <Compile Include="$(SharedSourceRoot)Debugger\DebuggerHelpers.cs" LinkBase="Shared" />
     <Compile Include="$(SharedSourceRoot)AntiforgeryMetadata.cs" LinkBase="Shared" />
     <Compile Include="$(SharedSourceRoot)HttpMethodExtensions.cs" LinkBase="Shared" />
-    <Compile Include="$(SharedSourceRoot)SizeLimitedStream.cs" LinkBase="Shared" />
   </ItemGroup>
 
   <ItemGroup>

src/Http/Routing/test/FunctionalTests/AntiforgeryTests.cs

@@ -398,6 +398,11 @@ public async Task MapPost_WithForm_ValidToken_RequestSizeLimit_Works(bool hasLim
                             return next(context);
                         });
                         app.UseRouting();
+                        app.Use((context, next) =>
+                        {
+                            context.Request.Body = new SizeLimitedStream(context.Request.Body, context.Features.Get<IHttpMaxRequestBodySizeFeature>()?.MaxRequestBodySize);
+                            return next(context);
+                        });
                         app.UseAntiforgery();
                         app.UseEndpoints(b =>
                             b.MapPost("/todo", ([FromForm] Todo todo) => todo).WithMetadata(new RequestSizeLimitMetadata(hasLimit ? 2 : null)));

src/Http/Routing/test/FunctionalTests/Microsoft.AspNetCore.Routing.FunctionalTests.csproj

@@ -16,9 +16,10 @@
     <Reference Include="Microsoft.AspNetCore.Routing" />
     <Reference Include="Microsoft.AspNetCore.TestHost" />
   </ItemGroup>
-  
+
   <ItemGroup>
     <Compile Include="$(SharedSourceRoot)AntiforgeryMetadata.cs" LinkBase="Shared" />
+    <Compile Include="$(SharedSourceRoot)SizeLimitedStream.cs" LinkBase="Shared" />
   </ItemGroup>
 
 </Project>

src/Http/Routing/test/UnitTests/EndpointMiddlewareTest.cs

@@ -315,11 +315,8 @@ public async Task Invoke_WithEndpoint_DoesNotThrowIfUnhandledCorsAttributesWereF
         Assert.True(calledEndpoint);
     }
 
-    [Theory]
-    [InlineData("POST")]
-    [InlineData("PUT")]
-    [InlineData("PATCH")]
-    public async Task Invoke_WithEndpoint_ThrowsIfAntiforgeryMetadataWasFound_ButAntiforgeryMiddlewareNotInvoked_ForValidHttpMethods(string method)
+    [Fact]
+    public async Task Invoke_WithEndpoint_ThrowsIfAntiforgeryMetadataWasFound_ButAntiforgeryMiddlewareNotInvoked()
     {
         // Arrange
         var expected = "Endpoint Test contains anti-forgery metadata, but a middleware was not found that supports anti-forgery." +
@@ -338,7 +335,6 @@ public async Task Invoke_WithEndpoint_ThrowsIfAntiforgeryMetadataWasFound_ButAnt
         };
 
         httpContext.SetEndpoint(new Endpoint(throwIfCalled, new EndpointMetadataCollection(AntiforgeryMetadata.ValidationRequired), "Test"));
-        httpContext.Request.Method = method;
 
         var middleware = new EndpointMiddleware(NullLogger<EndpointMiddleware>.Instance, throwIfCalled, RouteOptions);
 
@@ -349,39 +345,6 @@ public async Task Invoke_WithEndpoint_ThrowsIfAntiforgeryMetadataWasFound_ButAnt
         Assert.Equal(expected, ex.Message);
     }
 
-    [Theory]
-    [InlineData("GET")]
-    [InlineData("TRACE")]
-    [InlineData("HEAD")]
-    [InlineData("OPTIONS")]
-    [InlineData("DELETE")]
-    [InlineData("CONNECT")]
-    public async Task Invoke_WithEndpoint_WorksIfAntiforgeryMetadataWasFound_ButAntiforgeryMiddlewareNotInvoked_ForInvalidHttpMethods(string method)
-    {
-        // Arrange
-        var message = "Should be called";
-        var httpContext = new DefaultHttpContext
-        {
-            RequestServices = new ServiceProvider()
-        };
-
-        RequestDelegate throwIfCalled = (c) =>
-        {
-            throw new InvalidTimeZoneException(message);
-        };
-
-        httpContext.SetEndpoint(new Endpoint(throwIfCalled, new EndpointMetadataCollection(AntiforgeryMetadata.ValidationRequired), "Test"));
-        httpContext.Request.Method = method;
-
-        var middleware = new EndpointMiddleware(NullLogger<EndpointMiddleware>.Instance, throwIfCalled, RouteOptions);
-
-        // Act & Assert
-        var ex = await Assert.ThrowsAsync<InvalidTimeZoneException>(() => middleware.Invoke(httpContext));
-
-        // Assert
-        Assert.Equal(message, ex.Message);
-    }
-
     [Fact]
     public async Task Invoke_WithEndpoint_WorksIfAntiforgeryMetadataWasFound_AndAntiforgeryMiddlewareInvoked()
     {