public string GetAdditionalData(HttpContext context)
{
var newID = Guid.NewGuid();
var token = new CsrfToken();
token.CsrfTokenId = newID;
token.ExpiresOn = DateTime.Now.AddMinutes(5);
token.TokenValidOnPage = context.Request.Path;
token.IsUsed = false;
_context.CsrfToken.Add(token);
_context.SaveChanges();
return(newID.ToString());
}
public void Should_return_token_mismatch_if_random_bytes_empty()
{
DateTime date = DateTime.Now;
var tokenOne = new CsrfToken {
CreatedDate = date, RandomBytes = ArrayCache.Empty <byte>()
};
var tokenTwo = new CsrfToken {
CreatedDate = date, RandomBytes = ArrayCache.Empty <byte>()
};
tokenOne.CreateHmac(this.hmacProvider);
tokenTwo.CreateHmac(this.hmacProvider);
var result = this.validator.Validate(tokenOne, tokenTwo);
result.ShouldEqual(CsrfTokenValidationResult.TokenTamperedWith);
}
public void Should_return_token_ok_if_tokens_match_and_no_expiry_set()
{
DateTime date = DateTime.Now;
var tokenOne = new CsrfToken {
CreatedDate = date, RandomBytes = new byte[] { 1, 2, 3 }
};
var tokenTwo = new CsrfToken {
CreatedDate = date, RandomBytes = new byte[] { 1, 2, 3 }
};
tokenOne.CreateHmac(this.hmacProvider);
tokenTwo.CreateHmac(this.hmacProvider);
var result = this.validator.Validate(tokenOne, tokenTwo);
result.ShouldEqual(CsrfTokenValidationResult.Ok);
}
public void Should_return_token_mismatch_if_tokens_differ()
{
DateTime date = DateTime.Now;
var tokenOne = new CsrfToken {
CreatedDate = date, RandomBytes = new byte[] { 1, 2, 3 }
};
var tokenTwo = new CsrfToken {
CreatedDate = date, RandomBytes = new byte[] { 1, 4, 3 }
};
tokenOne.CreateHmac(this.hmacProvider);
tokenTwo.CreateHmac(this.hmacProvider);
var result = this.validator.Validate(tokenOne, tokenTwo);
result.ShouldEqual(CsrfTokenValidationResult.TokenMismatch);
}
public void Should_return_ok_if_valid_and_not_expired()
{
DateTime date = DateTime.Now.AddHours(-1);
var tokenOne = new CsrfToken {
CreatedDate = date, RandomBytes = new byte[] { 1, 2, 3 }
};
var tokenTwo = new CsrfToken {
CreatedDate = date, RandomBytes = new byte[] { 1, 2, 3 }
};
tokenOne.CreateHmac(this.hmacProvider);
tokenTwo.CreateHmac(this.hmacProvider);
var result = this.validator.Validate(tokenOne, tokenTwo, validityPeriod: new TimeSpan(1, 30, 0));
result.ShouldEqual(CsrfTokenValidationResult.Ok);
}
/// <summary>
/// Creates a basic login result.
/// Adds user role claims to Jwt payload
/// NOTE: If you duplicate a key in the additionalPayload, this will error.
/// </summary>
/// <param name="authUser"></param>
/// <param name="client"></param>
/// <param name="config"></param>
/// <param name="additionalPayload"></param>
/// <returns></returns>
protected LoginResult GetBaseLoginResult(AuthUser authUser, AuthClient client, JwtConfig config, IDictionary <string, string> additionalPayload = null)
{
config.RefreshMinutes = client.RefreshTokenMinutes; // MUST set refresh minutes by client
var now = DateTime.UtcNow;
IDictionary <string, string[]> payload = CreateJwtPayload(authUser, client);
if (additionalPayload != null)
{
foreach (var kv in additionalPayload)
{
payload.Add(kv.Key, new[] { kv.Value });
}
}
// add ossied time for easier parsing
payload.Add(OwinKeys.Ticks, new[] { now.Ticks.ToString() });
// add claims
bool hasClaims = (authUser.UserRole?.UserRoleClaims != null);
var claimFlags = new Dictionary <int, int>();
if (hasClaims)
{
foreach (var cgroup in authUser.UserRole.UserRoleClaims.GroupBy(cv => cv.ClaimTypeId))
{
int claimValues = cgroup.Aggregate(0, (v, urc) => v | urc.ClaimValueId); // | them together
claimFlags.Add(cgroup.Key, claimValues);
payload[ClaimsHelper.SetTypePrefix(cgroup.Key)] = new [] { claimValues.ToString() };
}
}
string accessToken = JsonWebToken.CreateAccessToken(config, now, payload);
string refreshToken = JsonWebToken.CreateRefreshToken(config, now, payload);
string csrfToken = CsrfToken.Create(accessToken);
Guid refreshGuid = AuthService.CreateToken(authUser.Id, client.Id, now, config.RefreshMinutes, refreshToken);
return(new LoginResult
{
AuthUserId = authUser.Id,
ClaimFlags = claimFlags,
IssuedUtc = now,
ExpiresUtc = now.AddMinutes(config.AccessMinutes),
RefreshTokenIdentifier = refreshGuid.ToString(),
Jwt = accessToken,
CsrfToken = csrfToken
});
}
public void Should_return_token_tampered_with_if_hmac_incorrect()
{
DateTime date = DateTime.Now;
var tokenOne = new CsrfToken {
CreatedDate = date, RandomBytes = new byte[] { 1, 2, 3 }
};
var tokenTwo = new CsrfToken {
CreatedDate = date, RandomBytes = new byte[] { 1, 2, 3 }
};
tokenOne.CreateHmac(this.hmacProvider);
tokenTwo.CreateHmac(this.hmacProvider);
tokenOne.Hmac[0] -= 1;
tokenTwo.Hmac[0] -= 1;
var result = this.validator.Validate(tokenOne, tokenTwo);
result.ShouldEqual(CsrfTokenValidationResult.TokenTamperedWith);
}
private CsrfToken GetCsrfToken <TContent>(RestResponse <TContent> response, CsrfClass csrfClass)
{
if (!response.Headers.TryGetValue("csrf", out string csrfValue))
{
return(null);
}
if (!response.Headers.TryGetValue("csrf_ts", out string csrfTsValue))
{
return(null);
}
var csrfToken = new CsrfToken
{
Timestamp = csrfTsValue,
Value = csrfValue,
Class = csrfClass
};
return(csrfToken);
}
public bool CookieTokenStillValid(CsrfToken cookieToken)
{
return(true);
}
public CsrfTokenValidationResult Validate(CsrfToken tokenOne, CsrfToken tokenTwo, TimeSpan?validityPeriod = null)
{
return(CsrfTokenValidationResult.Ok);
}
