public async Task CanCreateMeLoginAndCookieStopsWorkingAfterExpiration()
{
var clock = new TestClock();
var server = CreateServer(services => services.Configure<IdentityOptions>(options =>
{
options.Cookies.ApplicationCookie.SystemClock = clock;
options.Cookies.ApplicationCookie.ExpireTimeSpan = TimeSpan.FromMinutes(10);
options.Cookies.ApplicationCookie.SlidingExpiration = false;
}));
var transaction1 = await SendAsync(server, "http://example.com/createMe");
Assert.Equal(HttpStatusCode.OK, transaction1.Response.StatusCode);
Assert.Null(transaction1.SetCookie);
var transaction2 = await SendAsync(server, "http://example.com/pwdLogin/false");
Assert.Equal(HttpStatusCode.OK, transaction2.Response.StatusCode);
Assert.NotNull(transaction2.SetCookie);
Assert.DoesNotContain("; expires=", transaction2.SetCookie);
var transaction3 = await SendAsync(server, "http://example.com/me", transaction2.CookieNameValue);
Assert.Equal("hao", FindClaimValue(transaction3, ClaimTypes.Name));
Assert.Null(transaction3.SetCookie);
clock.Add(TimeSpan.FromMinutes(7));
var transaction4 = await SendAsync(server, "http://example.com/me", transaction2.CookieNameValue);
Assert.Equal("hao", FindClaimValue(transaction4, ClaimTypes.Name));
Assert.Null(transaction4.SetCookie);
clock.Add(TimeSpan.FromMinutes(7));
var transaction5 = await SendAsync(server, "http://example.com/me", transaction2.CookieNameValue);
Assert.Null(FindClaimValue(transaction5, ClaimTypes.Name));
Assert.Null(transaction5.SetCookie);
}
public async Task CanAccessOldPrincipalDuringSecurityStampReplacement()
{
var clock = new TestClock();
var server = CreateServer(services =>
{
services.Configure <SecurityStampValidatorOptions>(options =>
{
options.OnRefreshingPrincipal = c =>
{
var newId = new ClaimsIdentity();
newId.AddClaim(new Claim("PreviousName", c.CurrentPrincipal.Identity.Name));
c.NewPrincipal.AddIdentity(newId);
return(Task.FromResult(0));
};
});
services.AddSingleton <ISystemClock>(clock);
});
var transaction1 = await SendAsync(server, "http://example.com/createMe");
Assert.Equal(HttpStatusCode.OK, transaction1.Response.StatusCode);
Assert.Null(transaction1.SetCookie);
var transaction2 = await SendAsync(server, "http://example.com/pwdLogin/false");
Assert.Equal(HttpStatusCode.OK, transaction2.Response.StatusCode);
Assert.NotNull(transaction2.SetCookie);
Assert.DoesNotContain("; expires=", transaction2.SetCookie);
var transaction3 = await SendAsync(server, "http://example.com/me", transaction2.CookieNameValue);
Assert.Equal("hao", FindClaimValue(transaction3, ClaimTypes.Name));
Assert.Null(transaction3.SetCookie);
// Make sure we don't get a new cookie yet
clock.Add(TimeSpan.FromMinutes(10));
var transaction4 = await SendAsync(server, "http://example.com/me", transaction2.CookieNameValue);
Assert.Equal("hao", FindClaimValue(transaction4, ClaimTypes.Name));
Assert.Null(transaction4.SetCookie);
// Go past SecurityStampValidation interval and ensure we get a new cookie
clock.Add(TimeSpan.FromMinutes(21));
var transaction5 = await SendAsync(server, "http://example.com/me", transaction2.CookieNameValue);
Assert.NotNull(transaction5.SetCookie);
Assert.Equal("hao", FindClaimValue(transaction5, ClaimTypes.Name));
Assert.Equal("hao", FindClaimValue(transaction5, "PreviousName"));
// Make sure new cookie is valid
var transaction6 = await SendAsync(server, "http://example.com/me", transaction5.CookieNameValue);
Assert.Equal("hao", FindClaimValue(transaction6, ClaimTypes.Name));
}
public async Task CanCreateMeLoginAndSecurityStampExtendsExpiration(bool rememberMe)
{
var clock = new TestClock();
var server = CreateServer(services => services.Configure <IdentityOptions>(options =>
{
options.Cookies.ApplicationCookie.SystemClock = clock;
}));
var transaction1 = await SendAsync(server, "http://example.com/createMe");
Assert.Equal(HttpStatusCode.OK, transaction1.Response.StatusCode);
Assert.Null(transaction1.SetCookie);
var transaction2 = await SendAsync(server, "http://example.com/pwdLogin/" + rememberMe);
Assert.Equal(HttpStatusCode.OK, transaction2.Response.StatusCode);
Assert.NotNull(transaction2.SetCookie);
if (rememberMe)
{
Assert.Contains("; expires=", transaction2.SetCookie);
}
else
{
Assert.DoesNotContain("; expires=", transaction2.SetCookie);
}
var transaction3 = await SendAsync(server, "http://example.com/me", transaction2.CookieNameValue);
Assert.Equal("hao", FindClaimValue(transaction3, ClaimTypes.Name));
Assert.Null(transaction3.SetCookie);
// Make sure we don't get a new cookie yet
clock.Add(TimeSpan.FromMinutes(10));
var transaction4 = await SendAsync(server, "http://example.com/me", transaction2.CookieNameValue);
Assert.Equal("hao", FindClaimValue(transaction4, ClaimTypes.Name));
Assert.Null(transaction4.SetCookie);
// Go past SecurityStampValidation interval and ensure we get a new cookie
clock.Add(TimeSpan.FromMinutes(21));
var transaction5 = await SendAsync(server, "http://example.com/me", transaction2.CookieNameValue);
Assert.NotNull(transaction5.SetCookie);
Assert.Equal("hao", FindClaimValue(transaction5, ClaimTypes.Name));
// Make sure new cookie is valid
var transaction6 = await SendAsync(server, "http://example.com/me", transaction5.CookieNameValue);
Assert.Equal("hao", FindClaimValue(transaction6, ClaimTypes.Name));
}
public async Task TwoFactorRememberCookieVerification()
{
var clock = new TestClock();
var server = CreateServer(services => services.AddSingleton <ISystemClock>(clock));
var transaction1 = await SendAsync(server, "http://example.com/createMe");
Assert.Equal(HttpStatusCode.OK, transaction1.Response.StatusCode);
Assert.Null(transaction1.SetCookie);
var transaction2 = await SendAsync(server, "http://example.com/twofactorRememeber");
Assert.Equal(HttpStatusCode.OK, transaction2.Response.StatusCode);
var setCookie = transaction2.SetCookie;
Assert.Contains(IdentityConstants.TwoFactorRememberMeScheme + "=", setCookie);
Assert.Contains("; expires=", setCookie);
var transaction3 = await SendAsync(server, "http://example.com/isTwoFactorRememebered", transaction2.CookieNameValue);
Assert.Equal(HttpStatusCode.OK, transaction3.Response.StatusCode);
// Wait for validation interval
clock.Add(TimeSpan.FromMinutes(30));
var transaction4 = await SendAsync(server, "http://example.com/isTwoFactorRememebered", transaction2.CookieNameValue);
Assert.Equal(HttpStatusCode.OK, transaction4.Response.StatusCode);
}
public async Task CanCreateMeLoginAndCookieStopsWorkingAfterExpiration()
{
var clock = new TestClock();
var server = CreateServer(services =>
{
services.ConfigureApplicationCookie(options =>
{
options.ExpireTimeSpan = TimeSpan.FromMinutes(10);
options.SlidingExpiration = false;
});
services.AddSingleton <ISystemClock>(clock);
});
var transaction1 = await SendAsync(server, "http://example.com/createMe");
Assert.Equal(HttpStatusCode.OK, transaction1.Response.StatusCode);
Assert.Null(transaction1.SetCookie);
var transaction2 = await SendAsync(server, "http://example.com/pwdLogin/false");
Assert.Equal(HttpStatusCode.OK, transaction2.Response.StatusCode);
Assert.NotNull(transaction2.SetCookie);
Assert.DoesNotContain("; expires=", transaction2.SetCookie);
var transaction3 = await SendAsync(server, "http://example.com/me", transaction2.CookieNameValue);
Assert.Equal("hao", FindClaimValue(transaction3, ClaimTypes.Name));
Assert.Null(transaction3.SetCookie);
clock.Add(TimeSpan.FromMinutes(7));
var transaction4 = await SendAsync(server, "http://example.com/me", transaction2.CookieNameValue);
Assert.Equal("hao", FindClaimValue(transaction4, ClaimTypes.Name));
Assert.Null(transaction4.SetCookie);
clock.Add(TimeSpan.FromMinutes(7));
var transaction5 = await SendAsync(server, "http://example.com/me", transaction2.CookieNameValue);
Assert.Null(FindClaimValue(transaction5, ClaimTypes.Name));
Assert.Null(transaction5.SetCookie);
}
public async Task TwoFactorRememberCookieClearedBySecurityStampChange()
{
var clock = new TestClock();
var server = CreateServer(services => services.AddSingleton <ISystemClock>(clock));
var transaction1 = await SendAsync(server, "http://example.com/createMe");
Assert.Equal(HttpStatusCode.OK, transaction1.Response.StatusCode);
Assert.Null(transaction1.SetCookie);
var transaction2 = await SendAsync(server, "http://example.com/twofactorRememeber");
Assert.Equal(HttpStatusCode.OK, transaction2.Response.StatusCode);
var setCookie = transaction2.SetCookie;
Assert.Contains(IdentityConstants.TwoFactorRememberMeScheme + "=", setCookie);
Assert.Contains("; expires=", setCookie);
var transaction3 = await SendAsync(server, "http://example.com/isTwoFactorRememebered", transaction2.CookieNameValue);
Assert.Equal(HttpStatusCode.OK, transaction3.Response.StatusCode);
var transaction4 = await SendAsync(server, "http://example.com/signoutEverywhere", transaction2.CookieNameValue);
Assert.Equal(HttpStatusCode.OK, transaction4.Response.StatusCode);
// Doesn't validate until after interval has passed
var transaction5 = await SendAsync(server, "http://example.com/isTwoFactorRememebered", transaction2.CookieNameValue);
Assert.Equal(HttpStatusCode.OK, transaction5.Response.StatusCode);
// Wait for validation interval
clock.Add(TimeSpan.FromMinutes(30));
var transaction6 = await SendAsync(server, "http://example.com/isTwoFactorRememebered", transaction2.CookieNameValue);
Assert.Equal(HttpStatusCode.InternalServerError, transaction6.Response.StatusCode);
}
public async Task CanCreateMeLoginAndSecurityStampExtendsExpiration(bool rememberMe)
{
var clock = new TestClock();
var server = CreateServer(services => services.Configure<IdentityOptions>(options =>
{
options.Cookies.ApplicationCookie.SystemClock = clock;
}));
var transaction1 = await SendAsync(server, "http://example.com/createMe");
Assert.Equal(HttpStatusCode.OK, transaction1.Response.StatusCode);
Assert.Null(transaction1.SetCookie);
var transaction2 = await SendAsync(server, "http://example.com/pwdLogin/" + rememberMe);
Assert.Equal(HttpStatusCode.OK, transaction2.Response.StatusCode);
Assert.NotNull(transaction2.SetCookie);
if (rememberMe)
{
Assert.Contains("; expires=", transaction2.SetCookie);
}
else
{
Assert.DoesNotContain("; expires=", transaction2.SetCookie);
}
var transaction3 = await SendAsync(server, "http://example.com/me", transaction2.CookieNameValue);
Assert.Equal("hao", FindClaimValue(transaction3, ClaimTypes.Name));
Assert.Null(transaction3.SetCookie);
// Make sure we don't get a new cookie yet
clock.Add(TimeSpan.FromMinutes(10));
var transaction4 = await SendAsync(server, "http://example.com/me", transaction2.CookieNameValue);
Assert.Equal("hao", FindClaimValue(transaction4, ClaimTypes.Name));
Assert.Null(transaction4.SetCookie);
// Go past SecurityStampValidation interval and ensure we get a new cookie
clock.Add(TimeSpan.FromMinutes(21));
var transaction5 = await SendAsync(server, "http://example.com/me", transaction2.CookieNameValue);
Assert.NotNull(transaction5.SetCookie);
Assert.Equal("hao", FindClaimValue(transaction5, ClaimTypes.Name));
// Make sure new cookie is valid
var transaction6 = await SendAsync(server, "http://example.com/me", transaction5.CookieNameValue);
Assert.Equal("hao", FindClaimValue(transaction6, ClaimTypes.Name));
}