Example #1
0
        public async Task CanCreateMeLoginAndCookieStopsWorkingAfterExpiration()
        {
            var clock = new TestClock();
            var server = CreateServer(services => services.Configure<IdentityOptions>(options =>
            {
                options.Cookies.ApplicationCookie.SystemClock = clock;
                options.Cookies.ApplicationCookie.ExpireTimeSpan = TimeSpan.FromMinutes(10);
                options.Cookies.ApplicationCookie.SlidingExpiration = false;
            }));

            var transaction1 = await SendAsync(server, "http://example.com/createMe");
            Assert.Equal(HttpStatusCode.OK, transaction1.Response.StatusCode);
            Assert.Null(transaction1.SetCookie);

            var transaction2 = await SendAsync(server, "http://example.com/pwdLogin/false");
            Assert.Equal(HttpStatusCode.OK, transaction2.Response.StatusCode);
            Assert.NotNull(transaction2.SetCookie);
            Assert.DoesNotContain("; expires=", transaction2.SetCookie);

            var transaction3 = await SendAsync(server, "http://example.com/me", transaction2.CookieNameValue);
            Assert.Equal("hao", FindClaimValue(transaction3, ClaimTypes.Name));
            Assert.Null(transaction3.SetCookie);

            clock.Add(TimeSpan.FromMinutes(7));

            var transaction4 = await SendAsync(server, "http://example.com/me", transaction2.CookieNameValue);
            Assert.Equal("hao", FindClaimValue(transaction4, ClaimTypes.Name));
            Assert.Null(transaction4.SetCookie);

            clock.Add(TimeSpan.FromMinutes(7));

            var transaction5 = await SendAsync(server, "http://example.com/me", transaction2.CookieNameValue);
            Assert.Null(FindClaimValue(transaction5, ClaimTypes.Name));
            Assert.Null(transaction5.SetCookie);
        }
Example #2
0
        public async Task CanAccessOldPrincipalDuringSecurityStampReplacement()
        {
            var clock  = new TestClock();
            var server = CreateServer(services =>
            {
                services.Configure <SecurityStampValidatorOptions>(options =>
                {
                    options.OnRefreshingPrincipal = c =>
                    {
                        var newId = new ClaimsIdentity();
                        newId.AddClaim(new Claim("PreviousName", c.CurrentPrincipal.Identity.Name));
                        c.NewPrincipal.AddIdentity(newId);
                        return(Task.FromResult(0));
                    };
                });
                services.AddSingleton <ISystemClock>(clock);
            });

            var transaction1 = await SendAsync(server, "http://example.com/createMe");

            Assert.Equal(HttpStatusCode.OK, transaction1.Response.StatusCode);
            Assert.Null(transaction1.SetCookie);

            var transaction2 = await SendAsync(server, "http://example.com/pwdLogin/false");

            Assert.Equal(HttpStatusCode.OK, transaction2.Response.StatusCode);
            Assert.NotNull(transaction2.SetCookie);
            Assert.DoesNotContain("; expires=", transaction2.SetCookie);

            var transaction3 = await SendAsync(server, "http://example.com/me", transaction2.CookieNameValue);

            Assert.Equal("hao", FindClaimValue(transaction3, ClaimTypes.Name));
            Assert.Null(transaction3.SetCookie);

            // Make sure we don't get a new cookie yet
            clock.Add(TimeSpan.FromMinutes(10));
            var transaction4 = await SendAsync(server, "http://example.com/me", transaction2.CookieNameValue);

            Assert.Equal("hao", FindClaimValue(transaction4, ClaimTypes.Name));
            Assert.Null(transaction4.SetCookie);

            // Go past SecurityStampValidation interval and ensure we get a new cookie
            clock.Add(TimeSpan.FromMinutes(21));

            var transaction5 = await SendAsync(server, "http://example.com/me", transaction2.CookieNameValue);

            Assert.NotNull(transaction5.SetCookie);
            Assert.Equal("hao", FindClaimValue(transaction5, ClaimTypes.Name));
            Assert.Equal("hao", FindClaimValue(transaction5, "PreviousName"));

            // Make sure new cookie is valid
            var transaction6 = await SendAsync(server, "http://example.com/me", transaction5.CookieNameValue);

            Assert.Equal("hao", FindClaimValue(transaction6, ClaimTypes.Name));
        }
Example #3
0
        public async Task CanCreateMeLoginAndSecurityStampExtendsExpiration(bool rememberMe)
        {
            var clock  = new TestClock();
            var server = CreateServer(services => services.Configure <IdentityOptions>(options =>
            {
                options.Cookies.ApplicationCookie.SystemClock = clock;
            }));

            var transaction1 = await SendAsync(server, "http://example.com/createMe");

            Assert.Equal(HttpStatusCode.OK, transaction1.Response.StatusCode);
            Assert.Null(transaction1.SetCookie);

            var transaction2 = await SendAsync(server, "http://example.com/pwdLogin/" + rememberMe);

            Assert.Equal(HttpStatusCode.OK, transaction2.Response.StatusCode);
            Assert.NotNull(transaction2.SetCookie);
            if (rememberMe)
            {
                Assert.Contains("; expires=", transaction2.SetCookie);
            }
            else
            {
                Assert.DoesNotContain("; expires=", transaction2.SetCookie);
            }

            var transaction3 = await SendAsync(server, "http://example.com/me", transaction2.CookieNameValue);

            Assert.Equal("hao", FindClaimValue(transaction3, ClaimTypes.Name));
            Assert.Null(transaction3.SetCookie);

            // Make sure we don't get a new cookie yet
            clock.Add(TimeSpan.FromMinutes(10));
            var transaction4 = await SendAsync(server, "http://example.com/me", transaction2.CookieNameValue);

            Assert.Equal("hao", FindClaimValue(transaction4, ClaimTypes.Name));
            Assert.Null(transaction4.SetCookie);

            // Go past SecurityStampValidation interval and ensure we get a new cookie
            clock.Add(TimeSpan.FromMinutes(21));

            var transaction5 = await SendAsync(server, "http://example.com/me", transaction2.CookieNameValue);

            Assert.NotNull(transaction5.SetCookie);
            Assert.Equal("hao", FindClaimValue(transaction5, ClaimTypes.Name));

            // Make sure new cookie is valid
            var transaction6 = await SendAsync(server, "http://example.com/me", transaction5.CookieNameValue);

            Assert.Equal("hao", FindClaimValue(transaction6, ClaimTypes.Name));
        }
Example #4
0
        public async Task TwoFactorRememberCookieVerification()
        {
            var clock  = new TestClock();
            var server = CreateServer(services => services.AddSingleton <ISystemClock>(clock));

            var transaction1 = await SendAsync(server, "http://example.com/createMe");

            Assert.Equal(HttpStatusCode.OK, transaction1.Response.StatusCode);
            Assert.Null(transaction1.SetCookie);

            var transaction2 = await SendAsync(server, "http://example.com/twofactorRememeber");

            Assert.Equal(HttpStatusCode.OK, transaction2.Response.StatusCode);

            var setCookie = transaction2.SetCookie;

            Assert.Contains(IdentityConstants.TwoFactorRememberMeScheme + "=", setCookie);
            Assert.Contains("; expires=", setCookie);

            var transaction3 = await SendAsync(server, "http://example.com/isTwoFactorRememebered", transaction2.CookieNameValue);

            Assert.Equal(HttpStatusCode.OK, transaction3.Response.StatusCode);

            // Wait for validation interval
            clock.Add(TimeSpan.FromMinutes(30));

            var transaction4 = await SendAsync(server, "http://example.com/isTwoFactorRememebered", transaction2.CookieNameValue);

            Assert.Equal(HttpStatusCode.OK, transaction4.Response.StatusCode);
        }
Example #5
0
        public async Task CanCreateMeLoginAndCookieStopsWorkingAfterExpiration()
        {
            var clock  = new TestClock();
            var server = CreateServer(services =>
            {
                services.ConfigureApplicationCookie(options =>
                {
                    options.ExpireTimeSpan    = TimeSpan.FromMinutes(10);
                    options.SlidingExpiration = false;
                });
                services.AddSingleton <ISystemClock>(clock);
            });

            var transaction1 = await SendAsync(server, "http://example.com/createMe");

            Assert.Equal(HttpStatusCode.OK, transaction1.Response.StatusCode);
            Assert.Null(transaction1.SetCookie);

            var transaction2 = await SendAsync(server, "http://example.com/pwdLogin/false");

            Assert.Equal(HttpStatusCode.OK, transaction2.Response.StatusCode);
            Assert.NotNull(transaction2.SetCookie);
            Assert.DoesNotContain("; expires=", transaction2.SetCookie);

            var transaction3 = await SendAsync(server, "http://example.com/me", transaction2.CookieNameValue);

            Assert.Equal("hao", FindClaimValue(transaction3, ClaimTypes.Name));
            Assert.Null(transaction3.SetCookie);

            clock.Add(TimeSpan.FromMinutes(7));

            var transaction4 = await SendAsync(server, "http://example.com/me", transaction2.CookieNameValue);

            Assert.Equal("hao", FindClaimValue(transaction4, ClaimTypes.Name));
            Assert.Null(transaction4.SetCookie);

            clock.Add(TimeSpan.FromMinutes(7));

            var transaction5 = await SendAsync(server, "http://example.com/me", transaction2.CookieNameValue);

            Assert.Null(FindClaimValue(transaction5, ClaimTypes.Name));
            Assert.Null(transaction5.SetCookie);
        }
Example #6
0
        public async Task TwoFactorRememberCookieClearedBySecurityStampChange()
        {
            var clock  = new TestClock();
            var server = CreateServer(services => services.AddSingleton <ISystemClock>(clock));

            var transaction1 = await SendAsync(server, "http://example.com/createMe");

            Assert.Equal(HttpStatusCode.OK, transaction1.Response.StatusCode);
            Assert.Null(transaction1.SetCookie);

            var transaction2 = await SendAsync(server, "http://example.com/twofactorRememeber");

            Assert.Equal(HttpStatusCode.OK, transaction2.Response.StatusCode);

            var setCookie = transaction2.SetCookie;

            Assert.Contains(IdentityConstants.TwoFactorRememberMeScheme + "=", setCookie);
            Assert.Contains("; expires=", setCookie);

            var transaction3 = await SendAsync(server, "http://example.com/isTwoFactorRememebered", transaction2.CookieNameValue);

            Assert.Equal(HttpStatusCode.OK, transaction3.Response.StatusCode);

            var transaction4 = await SendAsync(server, "http://example.com/signoutEverywhere", transaction2.CookieNameValue);

            Assert.Equal(HttpStatusCode.OK, transaction4.Response.StatusCode);

            // Doesn't validate until after interval has passed
            var transaction5 = await SendAsync(server, "http://example.com/isTwoFactorRememebered", transaction2.CookieNameValue);

            Assert.Equal(HttpStatusCode.OK, transaction5.Response.StatusCode);

            // Wait for validation interval
            clock.Add(TimeSpan.FromMinutes(30));

            var transaction6 = await SendAsync(server, "http://example.com/isTwoFactorRememebered", transaction2.CookieNameValue);

            Assert.Equal(HttpStatusCode.InternalServerError, transaction6.Response.StatusCode);
        }
Example #7
0
        public async Task CanCreateMeLoginAndSecurityStampExtendsExpiration(bool rememberMe)
        {
            var clock = new TestClock();
            var server = CreateServer(services => services.Configure<IdentityOptions>(options =>
            {
                options.Cookies.ApplicationCookie.SystemClock = clock;
            }));

            var transaction1 = await SendAsync(server, "http://example.com/createMe");
            Assert.Equal(HttpStatusCode.OK, transaction1.Response.StatusCode);
            Assert.Null(transaction1.SetCookie);

            var transaction2 = await SendAsync(server, "http://example.com/pwdLogin/" + rememberMe);
            Assert.Equal(HttpStatusCode.OK, transaction2.Response.StatusCode);
            Assert.NotNull(transaction2.SetCookie);
            if (rememberMe)
            {
                Assert.Contains("; expires=", transaction2.SetCookie);
            }
            else
            {
                Assert.DoesNotContain("; expires=", transaction2.SetCookie);
            }

            var transaction3 = await SendAsync(server, "http://example.com/me", transaction2.CookieNameValue);
            Assert.Equal("hao", FindClaimValue(transaction3, ClaimTypes.Name));
            Assert.Null(transaction3.SetCookie);

            // Make sure we don't get a new cookie yet
            clock.Add(TimeSpan.FromMinutes(10));
            var transaction4 = await SendAsync(server, "http://example.com/me", transaction2.CookieNameValue);
            Assert.Equal("hao", FindClaimValue(transaction4, ClaimTypes.Name));
            Assert.Null(transaction4.SetCookie);

            // Go past SecurityStampValidation interval and ensure we get a new cookie
            clock.Add(TimeSpan.FromMinutes(21));

            var transaction5 = await SendAsync(server, "http://example.com/me", transaction2.CookieNameValue);
            Assert.NotNull(transaction5.SetCookie);
            Assert.Equal("hao", FindClaimValue(transaction5, ClaimTypes.Name));

            // Make sure new cookie is valid
            var transaction6 = await SendAsync(server, "http://example.com/me", transaction5.CookieNameValue);
            Assert.Equal("hao", FindClaimValue(transaction6, ClaimTypes.Name));
        }