How do the webhooks- (in e.g., Zettle and PayPal plugins) bypass the AntiForgeryToken validation? The controller action method does not have the [IgnoreAntiforgeryToken] attribute.
The ZettleWebhookController doesn't have the [AutoValidateAntiforgeryToken] applied in the controller and it inherits the Controller which also doesn't have the [AutoValidateAntiforgeryToken] applied by default (Looks like only the BaseAdminController has the auto validation for anti-forgery applied). Maybe I am wrong but by the looks of it, it doesn't need the [IgnoreAntiforgeryToken] since the antinforgery validation is not enabled at all.
That's what I thought, but when I created a plugin, and I tried all of these: Controller BasePublicController BasePluginController
and I also tried putting these attributes on the action method: [HttpPost] [AllowAnonymous] [IgnoreAntiforgeryToken]
Regardless, I always get 400 Bad Response, and this is in the output window in VS
Microsoft.AspNetCore.Mvc.ViewFeatures.Filters.AutoValidateAntiforgeryTokenAuthorizationFilter: Information: Antiforgery token validation failed. The required antiforgery cookie ".Nop.Antiforgery" is not present.