public void ValidateTokens_Success_AuthenticatedUserWithUsername() { // Arrange var httpContext = new Mock<HttpContext>().Object; var identity = GetAuthenticatedIdentity("the-user"); var sessionToken = new AntiForgeryToken() { IsSessionToken = true }; var fieldtoken = new AntiForgeryToken() { SecurityToken = sessionToken.SecurityToken, Username = "******", IsSessionToken = false, AdditionalData = "some-additional-data" }; var mockAdditionalDataProvider = new Mock<IAntiForgeryAdditionalDataProvider>(); mockAdditionalDataProvider.Setup(o => o.ValidateAdditionalData(httpContext, "some-additional-data")) .Returns(true); var config = new AntiForgeryOptions(); var tokenProvider = new AntiForgeryTokenProvider( config: config, claimUidExtractor: new Mock<IClaimUidExtractor>().Object, additionalDataProvider: mockAdditionalDataProvider.Object); // Act tokenProvider.ValidateTokens(httpContext, identity, sessionToken, fieldtoken); // Assert // Nothing to assert - if we got this far, success! }
public void ValidateTokens_UsernameMismatch(string identityUsername, string embeddedUsername) { // Arrange var httpContext = new Mock <HttpContext>().Object; var identity = GetAuthenticatedIdentity(identityUsername); var sessionToken = new AntiForgeryToken() { IsSessionToken = true }; var fieldtoken = new AntiForgeryToken() { SecurityToken = sessionToken.SecurityToken, Username = embeddedUsername, IsSessionToken = false }; var mockClaimUidExtractor = new Mock <IClaimUidExtractor>(); mockClaimUidExtractor.Setup(o => o.ExtractClaimUid(identity)) .Returns((string)null); var tokenProvider = new AntiForgeryTokenProvider( config: null, claimUidExtractor: mockClaimUidExtractor.Object, additionalDataProvider: null); // Act & assert var ex = Assert.Throws <InvalidOperationException>( () => tokenProvider.ValidateTokens(httpContext, identity, sessionToken, fieldtoken)); Assert.Equal( @"The provided anti-forgery token was meant for user """ + embeddedUsername + @""", but the current user is """ + identityUsername + @""".", ex.Message); }
public void GenerateFormToken_AuthenticatedWithoutUsername_WithAdditionalData() { // Arrange var cookieToken = new AntiForgeryToken() { IsSessionToken = true }; var httpContext = new Mock <HttpContext>().Object; ClaimsIdentity identity = new MyAuthenticatedIdentityWithoutUsername(); var mockAdditionalDataProvider = new Mock <IAntiForgeryAdditionalDataProvider>(); mockAdditionalDataProvider.Setup(o => o.GetAdditionalData(httpContext)) .Returns("additional-data"); var config = new AntiForgeryOptions(); IClaimUidExtractor claimUidExtractor = new Mock <IClaimUidExtractor>().Object; var tokenProvider = new AntiForgeryTokenProvider( config: config, claimUidExtractor: claimUidExtractor, additionalDataProvider: mockAdditionalDataProvider.Object); // Act var fieldToken = tokenProvider.GenerateFormToken(httpContext, identity, cookieToken); // Assert Assert.NotNull(fieldToken); Assert.Equal(cookieToken.SecurityToken, fieldToken.SecurityToken); Assert.False(fieldToken.IsSessionToken); Assert.Empty(fieldToken.Username); Assert.Null(fieldToken.ClaimUid); Assert.Equal("additional-data", fieldToken.AdditionalData); }
public void GenerateFormToken_AuthenticatedWithoutUsernameAndNoAdditionalData_NoAdditionalData() { // Arrange var cookieToken = new AntiForgeryToken() { IsSessionToken = true }; var httpContext = new Mock<HttpContext>().Object; ClaimsIdentity identity = new MyAuthenticatedIdentityWithoutUsername(); var config = new AntiForgeryOptions(); IClaimUidExtractor claimUidExtractor = new Mock<IClaimUidExtractor>().Object; var tokenProvider = new AntiForgeryTokenProvider( config: config, claimUidExtractor: claimUidExtractor, additionalDataProvider: null); // Act & assert var ex = Assert.Throws<InvalidOperationException>( () => tokenProvider.GenerateFormToken(httpContext, identity, cookieToken)); Assert.Equal( "The provided identity of type " + "'Microsoft.AspNet.Mvc.Core.Test.TokenProviderTest+MyAuthenticatedIdentityWithoutUsername' " + "is marked IsAuthenticated = true but does not have a value for Name. " + "By default, the anti-forgery system requires that all authenticated identities have a unique Name. " + "If it is not possible to provide a unique Name for this identity, " + "consider extending IAdditionalDataProvider by overriding the DefaultAdditionalDataProvider " + "or a custom type that can provide some form of unique identifier for the current user.", ex.Message); }
public void ValidateTokens_Success_ClaimsBasedUser() { // Arrange var httpContext = new Mock <HttpContext>().Object; var identity = GetAuthenticatedIdentity("the-user"); var sessionToken = new AntiForgeryToken() { IsSessionToken = true }; var fieldtoken = new AntiForgeryToken() { SecurityToken = sessionToken.SecurityToken, IsSessionToken = false, ClaimUid = new BinaryBlob(256) }; var mockClaimUidExtractor = new Mock <IClaimUidExtractor>(); mockClaimUidExtractor.Setup(o => o.ExtractClaimUid(identity)) .Returns(Convert.ToBase64String(fieldtoken.ClaimUid.GetData())); var config = new AntiForgeryOptions(); var tokenProvider = new AntiForgeryTokenProvider( config: config, claimUidExtractor: mockClaimUidExtractor.Object, additionalDataProvider: null); // Act tokenProvider.ValidateTokens(httpContext, identity, sessionToken, fieldtoken); // Assert // Nothing to assert - if we got this far, success! }
public void GenerateFormToken_AuthenticatedWithoutUsernameAndNoAdditionalData_NoAdditionalData() { // Arrange var cookieToken = new AntiForgeryToken() { IsSessionToken = true }; var httpContext = new Mock <HttpContext>().Object; ClaimsIdentity identity = new MyAuthenticatedIdentityWithoutUsername(); var config = new AntiForgeryOptions(); IClaimUidExtractor claimUidExtractor = new Mock <IClaimUidExtractor>().Object; var tokenProvider = new AntiForgeryTokenProvider( config: config, claimUidExtractor: claimUidExtractor, additionalDataProvider: null); // Act & assert var ex = Assert.Throws <InvalidOperationException>( () => tokenProvider.GenerateFormToken(httpContext, identity, cookieToken)); Assert.Equal( "The provided identity of type " + "'Microsoft.AspNet.Mvc.Core.Test.TokenProviderTest+MyAuthenticatedIdentityWithoutUsername' " + "is marked IsAuthenticated = true but does not have a value for Name. " + "By default, the anti-forgery system requires that all authenticated identities have a unique Name. " + "If it is not possible to provide a unique Name for this identity, " + "consider extending IAdditionalDataProvider by overriding the DefaultAdditionalDataProvider " + "or a custom type that can provide some form of unique identifier for the current user.", ex.Message); }
public void ValidateTokens_AdditionalDataRejected() { // Arrange var httpContext = new Mock <HttpContext>().Object; var identity = new ClaimsIdentity(); var sessionToken = new AntiForgeryToken() { IsSessionToken = true }; var fieldtoken = new AntiForgeryToken() { SecurityToken = sessionToken.SecurityToken, Username = String.Empty, IsSessionToken = false, AdditionalData = "some-additional-data" }; var mockAdditionalDataProvider = new Mock <IAntiForgeryAdditionalDataProvider>(); mockAdditionalDataProvider.Setup(o => o.ValidateAdditionalData(httpContext, "some-additional-data")) .Returns(false); var config = new AntiForgeryOptions(); var tokenProvider = new AntiForgeryTokenProvider( config: config, claimUidExtractor: null, additionalDataProvider: mockAdditionalDataProvider.Object); // Act & assert var ex = Assert.Throws <InvalidOperationException>( () => tokenProvider.ValidateTokens(httpContext, identity, sessionToken, fieldtoken)); Assert.Equal(@"The provided anti-forgery token failed a custom data check.", ex.Message); }
public void ValidateTokens_Success_AuthenticatedUserWithUsername() { // Arrange var httpContext = new Mock <HttpContext>().Object; var identity = GetAuthenticatedIdentity("the-user"); var sessionToken = new AntiForgeryToken() { IsSessionToken = true }; var fieldtoken = new AntiForgeryToken() { SecurityToken = sessionToken.SecurityToken, Username = "******", IsSessionToken = false, AdditionalData = "some-additional-data" }; var mockAdditionalDataProvider = new Mock <IAntiForgeryAdditionalDataProvider>(); mockAdditionalDataProvider.Setup(o => o.ValidateAdditionalData(httpContext, "some-additional-data")) .Returns(true); var config = new AntiForgeryOptions(); var tokenProvider = new AntiForgeryTokenProvider( config: config, claimUidExtractor: new Mock <IClaimUidExtractor>().Object, additionalDataProvider: mockAdditionalDataProvider.Object); // Act tokenProvider.ValidateTokens(httpContext, identity, sessionToken, fieldtoken); // Assert // Nothing to assert - if we got this far, success! }
public void GenerateFormToken_AnonymousUser() { // Arrange var cookieToken = new AntiForgeryToken() { IsSessionToken = true }; var httpContext = new Mock<HttpContext>().Object; var mockIdentity = new Mock<ClaimsIdentity>(); mockIdentity.Setup(o => o.IsAuthenticated) .Returns(false); var config = new AntiForgeryOptions(); var tokenProvider = new AntiForgeryTokenProvider( config: config, claimUidExtractor: null, additionalDataProvider: null); // Act var fieldToken = tokenProvider.GenerateFormToken(httpContext, mockIdentity.Object, cookieToken); // Assert Assert.NotNull(fieldToken); Assert.Equal(cookieToken.SecurityToken, fieldToken.SecurityToken); Assert.False(fieldToken.IsSessionToken); Assert.Empty(fieldToken.Username); Assert.Null(fieldToken.ClaimUid); Assert.Empty(fieldToken.AdditionalData); }
public void ValidateTokens_FieldAndSessionTokensHaveDifferentSecurityKeys() { // Arrange var httpContext = new Mock <HttpContext>().Object; ClaimsIdentity identity = new Mock <ClaimsIdentity>().Object; var sessionToken = new AntiForgeryToken() { IsSessionToken = true }; var fieldtoken = new AntiForgeryToken() { IsSessionToken = false }; var tokenProvider = new AntiForgeryTokenProvider( config: null, claimUidExtractor: null, additionalDataProvider: null); // Act & assert var ex = Assert.Throws <InvalidOperationException>( () => tokenProvider.ValidateTokens(httpContext, identity, sessionToken, fieldtoken)); Assert.Equal(@"The anti-forgery cookie token and form field token do not match.", ex.Message); }
public void GenerateFormToken_AnonymousUser() { // Arrange var cookieToken = new AntiForgeryToken() { IsSessionToken = true }; var httpContext = new Mock <HttpContext>().Object; var mockIdentity = new Mock <ClaimsIdentity>(); mockIdentity.Setup(o => o.IsAuthenticated) .Returns(false); var config = new AntiForgeryOptions(); var tokenProvider = new AntiForgeryTokenProvider( config: config, claimUidExtractor: null, additionalDataProvider: null); // Act var fieldToken = tokenProvider.GenerateFormToken(httpContext, mockIdentity.Object, cookieToken); // Assert Assert.NotNull(fieldToken); Assert.Equal(cookieToken.SecurityToken, fieldToken.SecurityToken); Assert.False(fieldToken.IsSessionToken); Assert.Empty(fieldToken.Username); Assert.Null(fieldToken.ClaimUid); Assert.Empty(fieldToken.AdditionalData); }
public void ValidateTokens_FieldTokenMissing() { // Arrange var httpContext = new Mock <HttpContext>().Object; ClaimsIdentity identity = new Mock <ClaimsIdentity>().Object; var sessionToken = new AntiForgeryToken() { IsSessionToken = true }; AntiForgeryToken fieldtoken = null; var config = new AntiForgeryOptions() { FormFieldName = "my-form-field-name" }; var tokenProvider = new AntiForgeryTokenProvider( config: config, claimUidExtractor: null, additionalDataProvider: null); // Act & assert var ex = Assert.Throws <InvalidOperationException>( () => tokenProvider.ValidateTokens(httpContext, identity, sessionToken, fieldtoken)); Assert.Equal(@"The required anti-forgery form field ""my-form-field-name"" is not present.", ex.Message); }
public void GenerateCookieToken() { // Arrange var tokenProvider = new AntiForgeryTokenProvider( config: null, claimUidExtractor: null, additionalDataProvider: null); // Act var retVal = tokenProvider.GenerateCookieToken(); // Assert Assert.NotNull(retVal); }
public void IsCookieTokenValid_NullToken_ReturnsFalse() { // Arrange AntiForgeryToken cookieToken = null; var tokenProvider = new AntiForgeryTokenProvider( config: null, claimUidExtractor: null, additionalDataProvider: null); // Act bool retVal = tokenProvider.IsCookieTokenValid(cookieToken); // Assert Assert.False(retVal); }
public void ValidateTokens_FieldAndSessionTokensSwapped() { // Arrange var httpContext = new Mock <HttpContext>().Object; ClaimsIdentity identity = new Mock <ClaimsIdentity>().Object; var sessionToken = new AntiForgeryToken() { IsSessionToken = true }; var fieldtoken = new AntiForgeryToken() { IsSessionToken = false }; var config = new AntiForgeryOptions() { CookieName = "my-cookie-name", FormFieldName = "my-form-field-name" }; var tokenProvider = new AntiForgeryTokenProvider( config: config, claimUidExtractor: null, additionalDataProvider: null); // Act & assert var ex1 = Assert.Throws <InvalidOperationException>( () => tokenProvider.ValidateTokens(httpContext, identity, fieldtoken, fieldtoken)); Assert.Equal( "Validation of the provided anti-forgery token failed. " + @"The cookie ""my-cookie-name"" and the form field ""my-form-field-name"" were swapped.", ex1.Message); var ex2 = Assert.Throws <InvalidOperationException>( () => tokenProvider.ValidateTokens(httpContext, identity, sessionToken, sessionToken)); Assert.Equal( "Validation of the provided anti-forgery token failed. " + @"The cookie ""my-cookie-name"" and the form field ""my-form-field-name"" were swapped.", ex2.Message); }
public void IsCookieTokenValid_ValidToken_ReturnsTrue() { // Arrange var cookieToken = new AntiForgeryToken() { IsSessionToken = true }; var tokenProvider = new AntiForgeryTokenProvider( config: null, claimUidExtractor: null, additionalDataProvider: null); // Act bool retVal = tokenProvider.IsCookieTokenValid(cookieToken); // Assert Assert.True(retVal); }
public void GenerateFormToken_ClaimsBasedIdentity() { // Arrange var cookieToken = new AntiForgeryToken() { IsSessionToken = true }; var httpContext = new Mock <HttpContext>().Object; var identity = GetAuthenticatedIdentity("some-identity"); var config = new AntiForgeryOptions(); byte[] data = new byte[256 / 8]; using (var rng = RandomNumberGenerator.Create()) { rng.GetBytes(data); } var base64ClaimUId = Convert.ToBase64String(data); var expectedClaimUid = new BinaryBlob(256, data); var mockClaimUidExtractor = new Mock <IClaimUidExtractor>(); mockClaimUidExtractor.Setup(o => o.ExtractClaimUid(identity)) .Returns(base64ClaimUId); var tokenProvider = new AntiForgeryTokenProvider( config: config, claimUidExtractor: mockClaimUidExtractor.Object, additionalDataProvider: null); // Act var fieldToken = tokenProvider.GenerateFormToken(httpContext, identity, cookieToken); // Assert Assert.NotNull(fieldToken); Assert.Equal(cookieToken.SecurityToken, fieldToken.SecurityToken); Assert.False(fieldToken.IsSessionToken); Assert.Equal("", fieldToken.Username); Assert.Equal(expectedClaimUid, fieldToken.ClaimUid); Assert.Equal("", fieldToken.AdditionalData); }
public void ValidateTokens_ClaimUidMismatch() { // Arrange var httpContext = new Mock <HttpContext>().Object; var identity = GetAuthenticatedIdentity("the-user"); var sessionToken = new AntiForgeryToken() { IsSessionToken = true }; var fieldtoken = new AntiForgeryToken() { SecurityToken = sessionToken.SecurityToken, IsSessionToken = false, ClaimUid = new BinaryBlob(256) }; var differentToken = new BinaryBlob(256); var mockClaimUidExtractor = new Mock <IClaimUidExtractor>(); mockClaimUidExtractor.Setup(o => o.ExtractClaimUid(identity)) .Returns(Convert.ToBase64String(differentToken.GetData())); var tokenProvider = new AntiForgeryTokenProvider( config: null, claimUidExtractor: mockClaimUidExtractor.Object, additionalDataProvider: null); // Act & assert var ex = Assert.Throws <InvalidOperationException>( () => tokenProvider.ValidateTokens(httpContext, identity, sessionToken, fieldtoken)); Assert.Equal( @"The provided anti-forgery token was meant for a different claims-based user than the current user.", ex.Message); }
public void ValidateTokens_Success_ClaimsBasedUser() { // Arrange var httpContext = new Mock<HttpContext>().Object; var identity = GetAuthenticatedIdentity("the-user"); var sessionToken = new AntiForgeryToken() { IsSessionToken = true }; var fieldtoken = new AntiForgeryToken() { SecurityToken = sessionToken.SecurityToken, IsSessionToken = false, ClaimUid = new BinaryBlob(256) }; var mockClaimUidExtractor = new Mock<IClaimUidExtractor>(); mockClaimUidExtractor.Setup(o => o.ExtractClaimUid(identity)) .Returns(Convert.ToBase64String(fieldtoken.ClaimUid.GetData())); var config = new AntiForgeryOptions(); var tokenProvider = new AntiForgeryTokenProvider( config: config, claimUidExtractor: mockClaimUidExtractor.Object, additionalDataProvider: null); // Act tokenProvider.ValidateTokens(httpContext, identity, sessionToken, fieldtoken); // Assert // Nothing to assert - if we got this far, success! }
public void ValidateTokens_AdditionalDataRejected() { // Arrange var httpContext = new Mock<HttpContext>().Object; var identity = new ClaimsIdentity(); var sessionToken = new AntiForgeryToken() { IsSessionToken = true }; var fieldtoken = new AntiForgeryToken() { SecurityToken = sessionToken.SecurityToken, Username = String.Empty, IsSessionToken = false, AdditionalData = "some-additional-data" }; var mockAdditionalDataProvider = new Mock<IAntiForgeryAdditionalDataProvider>(); mockAdditionalDataProvider.Setup(o => o.ValidateAdditionalData(httpContext, "some-additional-data")) .Returns(false); var config = new AntiForgeryOptions(); var tokenProvider = new AntiForgeryTokenProvider( config: config, claimUidExtractor: null, additionalDataProvider: mockAdditionalDataProvider.Object); // Act & assert var ex = Assert.Throws<InvalidOperationException>( () => tokenProvider.ValidateTokens(httpContext, identity, sessionToken, fieldtoken)); Assert.Equal(@"The provided anti-forgery token failed a custom data check.", ex.Message); }
public void ValidateTokens_UsernameMismatch(string identityUsername, string embeddedUsername) { // Arrange var httpContext = new Mock<HttpContext>().Object; var identity = GetAuthenticatedIdentity(identityUsername); var sessionToken = new AntiForgeryToken() { IsSessionToken = true }; var fieldtoken = new AntiForgeryToken() { SecurityToken = sessionToken.SecurityToken, Username = embeddedUsername, IsSessionToken = false }; var mockClaimUidExtractor = new Mock<IClaimUidExtractor>(); mockClaimUidExtractor.Setup(o => o.ExtractClaimUid(identity)) .Returns((string)null); var tokenProvider = new AntiForgeryTokenProvider( config: null, claimUidExtractor: mockClaimUidExtractor.Object, additionalDataProvider: null); // Act & assert var ex = Assert.Throws<InvalidOperationException>( () => tokenProvider.ValidateTokens(httpContext, identity, sessionToken, fieldtoken)); Assert.Equal( @"The provided anti-forgery token was meant for user """ + embeddedUsername + @""", but the current user is """ + identityUsername + @""".", ex.Message); }
public void ValidateTokens_ClaimUidMismatch() { // Arrange var httpContext = new Mock<HttpContext>().Object; var identity = GetAuthenticatedIdentity("the-user"); var sessionToken = new AntiForgeryToken() { IsSessionToken = true }; var fieldtoken = new AntiForgeryToken() { SecurityToken = sessionToken.SecurityToken, IsSessionToken = false, ClaimUid = new BinaryBlob(256) }; var differentToken = new BinaryBlob(256); var mockClaimUidExtractor = new Mock<IClaimUidExtractor>(); mockClaimUidExtractor.Setup(o => o.ExtractClaimUid(identity)) .Returns(Convert.ToBase64String(differentToken.GetData())); var tokenProvider = new AntiForgeryTokenProvider( config: null, claimUidExtractor: mockClaimUidExtractor.Object, additionalDataProvider: null); // Act & assert var ex = Assert.Throws<InvalidOperationException>( () => tokenProvider.ValidateTokens(httpContext, identity, sessionToken, fieldtoken)); Assert.Equal( @"The provided anti-forgery token was meant for a different claims-based user than the current user.", ex.Message); }
public void ValidateTokens_FieldAndSessionTokensHaveDifferentSecurityKeys() { // Arrange var httpContext = new Mock<HttpContext>().Object; ClaimsIdentity identity = new Mock<ClaimsIdentity>().Object; var sessionToken = new AntiForgeryToken() { IsSessionToken = true }; var fieldtoken = new AntiForgeryToken() { IsSessionToken = false }; var tokenProvider = new AntiForgeryTokenProvider( config: null, claimUidExtractor: null, additionalDataProvider: null); // Act & assert var ex = Assert.Throws<InvalidOperationException>( () => tokenProvider.ValidateTokens(httpContext, identity, sessionToken, fieldtoken)); Assert.Equal(@"The anti-forgery cookie token and form field token do not match.", ex.Message); }
public void ValidateTokens_FieldAndSessionTokensSwapped() { // Arrange var httpContext = new Mock<HttpContext>().Object; ClaimsIdentity identity = new Mock<ClaimsIdentity>().Object; var sessionToken = new AntiForgeryToken() { IsSessionToken = true }; var fieldtoken = new AntiForgeryToken() { IsSessionToken = false }; var config = new AntiForgeryOptions() { CookieName = "my-cookie-name", FormFieldName = "my-form-field-name" }; var tokenProvider = new AntiForgeryTokenProvider( config: config, claimUidExtractor: null, additionalDataProvider: null); // Act & assert var ex1 = Assert.Throws<InvalidOperationException>( () => tokenProvider.ValidateTokens(httpContext, identity, fieldtoken, fieldtoken)); Assert.Equal( "Validation of the provided anti-forgery token failed. " + @"The cookie ""my-cookie-name"" and the form field ""my-form-field-name"" were swapped.", ex1.Message); var ex2 = Assert.Throws<InvalidOperationException>( () => tokenProvider.ValidateTokens(httpContext, identity, sessionToken, sessionToken)); Assert.Equal( "Validation of the provided anti-forgery token failed. " + @"The cookie ""my-cookie-name"" and the form field ""my-form-field-name"" were swapped.", ex2.Message); }
public void ValidateTokens_FieldTokenMissing() { // Arrange var httpContext = new Mock<HttpContext>().Object; ClaimsIdentity identity = new Mock<ClaimsIdentity>().Object; var sessionToken = new AntiForgeryToken() { IsSessionToken = true }; AntiForgeryToken fieldtoken = null; var config = new AntiForgeryOptions() { FormFieldName = "my-form-field-name" }; var tokenProvider = new AntiForgeryTokenProvider( config: config, claimUidExtractor: null, additionalDataProvider: null); // Act & assert var ex = Assert.Throws<InvalidOperationException>( () => tokenProvider.ValidateTokens(httpContext, identity, sessionToken, fieldtoken)); Assert.Equal(@"The required anti-forgery form field ""my-form-field-name"" is not present.", ex.Message); }
public void GenerateFormToken_AuthenticatedWithoutUsername_WithAdditionalData() { // Arrange var cookieToken = new AntiForgeryToken() { IsSessionToken = true }; var httpContext = new Mock<HttpContext>().Object; ClaimsIdentity identity = new MyAuthenticatedIdentityWithoutUsername(); var mockAdditionalDataProvider = new Mock<IAntiForgeryAdditionalDataProvider>(); mockAdditionalDataProvider.Setup(o => o.GetAdditionalData(httpContext)) .Returns("additional-data"); var config = new AntiForgeryOptions(); IClaimUidExtractor claimUidExtractor = new Mock<IClaimUidExtractor>().Object; var tokenProvider = new AntiForgeryTokenProvider( config: config, claimUidExtractor: claimUidExtractor, additionalDataProvider: mockAdditionalDataProvider.Object); // Act var fieldToken = tokenProvider.GenerateFormToken(httpContext, identity, cookieToken); // Assert Assert.NotNull(fieldToken); Assert.Equal(cookieToken.SecurityToken, fieldToken.SecurityToken); Assert.False(fieldToken.IsSessionToken); Assert.Empty(fieldToken.Username); Assert.Null(fieldToken.ClaimUid); Assert.Equal("additional-data", fieldToken.AdditionalData); }
public void GenerateFormToken_ClaimsBasedIdentity() { // Arrange var cookieToken = new AntiForgeryToken() { IsSessionToken = true }; var httpContext = new Mock<HttpContext>().Object; var identity = GetAuthenticatedIdentity("some-identity"); var config = new AntiForgeryOptions(); byte[] data = new byte[256 / 8]; using (var rng = RandomNumberGenerator.Create()) { rng.GetBytes(data); } var base64ClaimUId = Convert.ToBase64String(data); var expectedClaimUid = new BinaryBlob(256, data); var mockClaimUidExtractor = new Mock<IClaimUidExtractor>(); mockClaimUidExtractor.Setup(o => o.ExtractClaimUid(identity)) .Returns(base64ClaimUId); var tokenProvider = new AntiForgeryTokenProvider( config: config, claimUidExtractor: mockClaimUidExtractor.Object, additionalDataProvider: null); // Act var fieldToken = tokenProvider.GenerateFormToken(httpContext, identity, cookieToken); // Assert Assert.NotNull(fieldToken); Assert.Equal(cookieToken.SecurityToken, fieldToken.SecurityToken); Assert.False(fieldToken.IsSessionToken); Assert.Equal("", fieldToken.Username); Assert.Equal(expectedClaimUid, fieldToken.ClaimUid); Assert.Equal("", fieldToken.AdditionalData); }