[release/8.0] [Blazor] Allow cascading value subscribers to get added and removed during change notification by github-actions[bot] · Pull Request #57288 · dotnet/aspnetcore (original) (raw)

Backport of #57243 to release/8.0

/cc @MackinnonBuck

Important

We're waiting to get feedback about the original change before merging this backport

[Blazor] Allow cascading value subscribers to get added and removed during change notification

Updates cascading value change notification logic to operate on a copy of the subscriber list to avoid cases where the list could get mutated during enumeration.

Fixes #53075

Description

.NET 8 included changes to improve the flexibility of cascading values. One of these improvements enabled root-level cascading values that can be consumed by components anywhere in the component hierarchy.

The AddCascadingAuthenticationState() API utilizes root-level cascading values to simplify making the authentication state available to Blazor components. However, customers have reported that under certain circumstances, using this API can cause an exception to get thrown that ends the user's session.

While AddCascadingAuthenticationState() manifests the bug, the root cause is actually deeper within the internals of Blazor's implementation of cascading values. If a cascading value changes, a change notification is issued to all components (subscribers) listening to that change. If a component reacts to the change by adding another subscriber (e.g., rendering another component that subscribes to the cascading value), then an exception gets thrown because the internal list of subscribers managed by the framework gets mutated as it's being enumerated.

Customer Impact

Many customers have reported being impacted by this bug (see the comments in #53075).

Some customers have reported working around the issue by using a <CascadingAuthenticationState> component (which existed prior to .NET 8) instead of AddCascadingAuthenticationState(). However, our docs and templates reference the new AddCascadingAuthenticationState() API, and customers have expressed discontent with having to downgrade to <CascadingAuthenticationState>.

Regression?

• Yes
• No

The bug was introduced at the same time as the affected features/scenarios.

Risk

• High
• Medium
• Low

The fix is simple; copy the list of subscribers to a separate buffer before enumerating them.

Verification

• Manual (required)
• Automated

Packaging changes reviewed?

• Yes
• No
• N/A