public void Apply_QueryStringAppliedOnce(string parameterName)
{
// Arrange
var behavior = this.CreateBehavior();
var context = new DefaultHttpContext();
var options = new JwtBearerQueryStringOptions {
QueryStringParameterName =
parameterName ??
JwtBearerQueryStringOptions.DefaultQueryStringParameterName
};
const string token = "MyToken";
var queryString = new QueryString($"?{options.QueryStringParameterName}={token}");
context.Request.QueryString = queryString;
// Act
behavior.Apply(context, options);
// Assert
Assert.Contains(
$"{options.QueryStringParameterName}={RedactJwtBearerQueryStringBehavior.DefaultRedactedValue}",
context.Request.QueryString.Value
);
Assert.DoesNotContain(token, context.Request.QueryString.Value);
}
/// <summary>
/// Identifies and redacts the access token if it was provided via the query string.
/// </summary>
protected override void ApplyImpl(
HttpContext context,
JwtBearerQueryStringOptions options)
{
if (String.IsNullOrWhiteSpace(options.QueryStringParameterName))
{
throw new ArgumentException(
$"The '{nameof(JwtBearerQueryStringOptions.QueryStringParameterName)}' " +
$"property on the '{nameof(options)}' parameter cannot be null or " +
$"whitespace.",
nameof(options)
);
}
var request = context.Request;
if (request.QueryString == null || request.QueryString == QueryString.Empty)
{
return;
}
var queryString = QueryHelpers.ParseQuery(request.QueryString.Value);
var parameterName = options.QueryStringParameterName;
StringValues values;
if (queryString.TryGetValue(parameterName, out values))
{
queryString[parameterName] = new StringValues(this.RedactedValue);
request.QueryString = QueryString.Create(queryString);
}
}
public void Apply_NullQueryStringParameterNameInOptions(string name)
{
// Arrange
var behavior = this.CreateBehavior();
var context = new DefaultHttpContext();
var options = new JwtBearerQueryStringOptions {
QueryStringParameterName = name
};
context.Request.QueryString = new QueryString("?access_token=token");
// Act
var exception = Record.Exception(
() => behavior.Apply(context, options)
);
// Assert
Assert.IsType <ArgumentException>(exception);
Assert.Equal(
$"The 'QueryStringParameterName' property on the " +
$"'options' parameter cannot be null or whitespace." +
Environment.NewLine + $"Parameter name: options",
exception.Message
);
}
public void Apply_QueryStringAppliedMultipleTimes()
{
// Arrange
var behavior = this.CreateBehavior();
var context = new DefaultHttpContext();
var options = new JwtBearerQueryStringOptions();
const string token = "MyToken";
var queryString = new QueryString($"?access_token={token}1&access_token={token}2");
context.Request.QueryString = queryString;
// Act
behavior.Apply(context, options);
// Assert
Assert.Contains(
"access_token=" + RedactJwtBearerQueryStringBehavior.DefaultRedactedValue,
context.Request.QueryString.Value
);
Assert.DoesNotContain(token, context.Request.QueryString.Value);
}
private IPostConfigureOptions <JwtBearerOptions> CreatePostConfiguration(
JwtBearerQueryStringOptions optionsĀ = null)
{
return(new JwtBearerOptionsPostConfiguration(
Options.Create(options ?? new JwtBearerQueryStringOptions())
));
}
private JwtBearerQueryStringMiddleware CreateMiddleware(
RequestDelegate next = null,
JwtBearerQueryStringOptions options = null)
{
return(new JwtBearerQueryStringMiddleware(
next ?? (context => Task.CompletedTask),
Options.Create(options ?? new JwtBearerQueryStringOptions())
));
}
/// <summary>
/// Applies the defined query string mutation behavior to the provided
/// <see cref="HttpContext" />.
/// </summary>
/// <remarks>
/// Defined in the <see cref="JwtBearerQueryStringOptions" />, this may
/// do something like redact the token, it may move the token into the
/// 'Authorization' header using the traditional Bearer authentication
/// scheme, or it may do nothing at all.
/// </remarks>
/// <param name="context">
/// The <see cref="HttpContext" /> for a given request. The request may or may
/// not be using the query string as a form of authentication.
/// </param>
/// <param name="options">
/// The <see cref="JwtBearerQueryStringOptions" /> that define how the
/// query string authentication should be managed within this web service.
/// </param>
/// <exception cref="ArgumentNullException">
/// Thrown when <paramref name="context" /> or <paramref name="options" /> is null.
/// </exception>
public void Apply(HttpContext context, JwtBearerQueryStringOptions options)
{
if (context == null)
{
throw new ArgumentNullException(nameof(context));
}
else if (options == null)
{
throw new ArgumentNullException(nameof(options));
}
this.ApplyImpl(context, options);
}
public void Apply_NullContext()
{
// Arrange
var behavior = this.CreateBehavior();
var options = new JwtBearerQueryStringOptions();
// Act
var exception = Record.Exception(
() => behavior.Apply(null, options)
);
// Assert
Assert.IsType <ArgumentNullException>(exception);
}
public void Apply_EmptyQueryStringIsIgnored(QueryString original)
{
// Arrange
var behavior = this.CreateBehavior();
var context = new DefaultHttpContext();
var options = new JwtBearerQueryStringOptions();
context.Request.QueryString = original;
// Act
behavior.Apply(context, options);
// Assert
Assert.Equal(original, context.Request.QueryString);
}
public void PostConfigure_AppliesEventsWrapper(
string name,
JwtBearerOptions bearerOptions)
{
// Arrange
var options = new JwtBearerQueryStringOptions();
var configuration = CreatePostConfiguration(options);
// Act
configuration.PostConfigure(name, bearerOptions);
// Assert
var typed = Assert.IsType <QueryStringJwtBearerEventsWrapper>(bearerOptions.Events);
Assert.Equal(options.QueryStringParameterName, typed.QueryStringParameterName);
}
public void Apply_QueryStringUnaffected()
{
// Arrange
var behavior = this.CreateBehavior();
var context = new DefaultHttpContext();
var options = new JwtBearerQueryStringOptions();
context.Request.QueryString.Add(options.QueryStringParameterName, "Token");
var queryString = context.Request.QueryString.ToString();
// Act
behavior.Apply(context, options);
// Assert
Assert.Equal(queryString, context.Request.QueryString.ToString());
}
public void Apply_QueryStringNotPresent()
{
// Arrange
var behavior = this.CreateBehavior();
var context = new DefaultHttpContext();
var options = new JwtBearerQueryStringOptions();
var queryString = new QueryString("?ParameterName=Value1&ParameterName=Value2");
context.Request.QueryString = queryString;
// Act
behavior.Apply(context, options);
// Assert
Assert.Equal(queryString, context.Request.QueryString);
}
public void Apply_NullRedactionValuesSupported(string redactedValue)
{
// Arrange
var behavior = this.CreateBehavior(redactedValue);
var context = new DefaultHttpContext();
var options = new JwtBearerQueryStringOptions();
const string token = "MyOtherToken";
var queryString = new QueryString($"?access_token={token}");
context.Request.QueryString = queryString;
// Act
behavior.Apply(context, options);
// Assert
Assert.Contains("access_token=" + redactedValue, context.Request.QueryString.Value);
Assert.DoesNotContain(token, context.Request.QueryString.Value);
}
public async Task Invoke_NonNullQueryStringBehavior()
{
// Arrange
var behavior = new Mock <IJwtBearerQueryStringBehavior>();
var options = new JwtBearerQueryStringOptions {
QueryStringBehavior = behavior.Object
};
var middleware = this.CreateMiddleware(options: options);
var context = new DefaultHttpContext();
// Act
await middleware.Invoke(context);
// Assert
behavior.Verify(
mock => mock.Apply(context, options),
Times.Once()
);
}
/// <summary>
/// This is the same behavior as the <see cref="Apply" /> method sans the boilerplace
/// <see cref="ArgumentNullException" /> checks.
/// </summary>
protected abstract void ApplyImpl(
HttpContext context,
JwtBearerQueryStringOptions options);
/// <summary>
/// Performs no mutations to the <see cref="HttpContext" /> of the user's web request.
/// </summary>
protected override void ApplyImpl(
HttpContext context,
JwtBearerQueryStringOptions options)
{
}
