public async Task RecaptchaWithValidCredentials_WhenEveryoneIsChallenged()
{
using (var fakeRecaptchaServer = new FakeServer())
{
fakeRecaptchaServer.Start();
fakeRecaptchaServer.Expect.Get("/?secret=private_key&response=correct_response")
.Returns(HttpStatusCode.OK, JsonConvert.SerializeObject(new RecaptchaVerificationResponse
{
Succeeded = true
}));
using (var server = new IdentityServerWithRecaptcha()
.WithProtectedGrantType("password")
.WithPrivateKey("private_key")
.WithVerificationUri(fakeRecaptchaServer.BaseUri)
.WithChallengeAsBadRequest()
.WithPlatformSecurityShieldsUp()
.Build())
{
var response = await server.CreateNativeLoginRequest()
.WithUsername("jeuser")
.WithPassword("Passw0rd")
.WithGrantType("password")
.WithHttpHeaderRecaptchaResponseRaw("correct_response")
.Build()
.PostAsync();
response.StatusCode.Should().NotBe(HttpStatusCode.BadRequest);
}
}
}
public async Task RecaptchaResponseBody_WithDefaultChallengeTypeAndHost_ShouldContainExpectedCssInRecaptchaBody(string deviceType, string expectedHtml)
{
using (var server = new IdentityServerWithRecaptcha()
.WithProtectedGrantType("password")
.WithNumberOfAllowedLoginFailuresPerIpAddress(NumberOfAllowedLoginFailures)
.WithFailuresForIpAddress("192.168.1.101", NumberOfAllowedLoginFailures)
.WithPublicKey("recaptcha-public-key")
.WithContentServerName("public.example-api.com")
.Build())
{
var response = await server.CreateNativeLoginRequest()
.WithUsername("jeuser")
.WithPassword("Passw0rd")
.WithGrantType("password")
.WithLanguageCode("es-ES")
.WithEncodedDevice("device-id", deviceType, "some-device-name", "some-device-token")
.Build()
.PostAsync();
response.StatusCode.Should().Be(HttpStatusCode.Unauthorized);
var resource = await response.Content.ReadAsAsync <IdentityServerUnauthorizedChallengeResource>();
resource.ChallengeHtml.Should().Contain(expectedHtml);
}
}
public async Task RecaptchaWithInvalidRecaptchaAnswer_WithAnswerAsHeaderValue_ShouldChallenge(HttpStatusCode returnedStatusCode)
{
using (var fakeRecaptchaServer = new FakeServer())
{
fakeRecaptchaServer.Start();
fakeRecaptchaServer.Expect.Get("/?secret=private_key&response=correct_response")
.Returns(returnedStatusCode, string.Empty);
using (var server = new IdentityServerWithRecaptcha()
.WithProtectedGrantType("password")
.WithPrivateKey("private_key")
.WithVerificationUri(fakeRecaptchaServer.BaseUri)
.WithNumberOfAllowedLoginFailuresPerIpAddress(1).Build())
{
var response = await server.CreateNativeLoginRequest()
.WithUsername("jeuser")
.WithPassword("Passw0rd")
.WithHttpHeaderRecaptchaResponseBase64("correct_response")
.Build()
.PostAsync();
response.StatusCode.Should().Be(HttpStatusCode.OK);
}
}
}
public async Task RecaptchaWithValidCredentials_WithTooManyFailedLogins_ShouldPass()
{
const int NumberOfAllowedLoginFailures = 1;
using (var fakeRecaptchaServer = new FakeServer())
{
fakeRecaptchaServer.Start();
fakeRecaptchaServer.Expect.Get("/?secret=private_key&response=correct_response")
.Returns(HttpStatusCode.OK, JsonConvert.SerializeObject(new RecaptchaVerificationResponse
{
Succeeded = true
}));
using (var server = new IdentityServerWithRecaptcha()
.WithProtectedGrantType("password")
.WithPrivateKey("private_key")
.WithVerificationUri(fakeRecaptchaServer.BaseUri)
.WithNumberOfAllowedLoginFailuresPerIpAddress(NumberOfAllowedLoginFailures)
.WithFailuresForIpAddress("192.168.1.101", NumberOfAllowedLoginFailures + 1)
.WithChallengeAsBadRequest()
.WithNumberOfAllowedLoginFailuresPerIpAddress(NumberOfAllowedLoginFailures).Build())
{
var response = await server.CreateNativeLoginRequest()
.WithUsername("jeuser")
.WithPassword("Passw0rd")
.WithGrantType("password")
.WithHttpHeaderRecaptchaResponseRaw("correct_response")
.Build()
.PostAsync();
response.StatusCode.Should().NotBe(HttpStatusCode.BadRequest);
}
}
}
public async Task RecaptchaWithValidRecaptchaAnswer_WithAnswerAsAcrValue_ShouldNotChallenge()
{
using (var fakeRecaptchaServer = new FakeServer())
{
fakeRecaptchaServer.Start();
fakeRecaptchaServer.Expect.Get("/?secret=private_key&response=correct_response")
.Returns(HttpStatusCode.OK, JsonConvert.SerializeObject(new RecaptchaVerificationResponse
{
Succeeded = true
}));
using (var server = new IdentityServerWithRecaptcha()
.WithProtectedGrantType("password")
.WithPrivateKey("private_key")
.WithVerificationUri(fakeRecaptchaServer.BaseUri)
.WithNumberOfAllowedLoginFailuresPerIpAddress(1).Build())
{
var response = await server.CreateNativeLoginRequest()
.WithUsername("jeuser")
.WithPassword("Passw0rd")
.WithRecaptchaResponseAsAcrValue("correct_response")
.Build()
.PostAsync();
response.StatusCode.Should().Be(HttpStatusCode.OK);
var tokenResponse = await response.Content.ReadAsAsync <TokenResponseModel>();
tokenResponse.AccessToken.Should().NotBeNullOrEmpty();
}
}
}
public async Task RecaptchaWithValidRecaptchaAnswer_WithLongAnswerAsAcrValue_ShouldNotChallenge()
{
const string longAnswer = "sHPqR2vXe1Gvena4WLtGvpslvmQjQrrFVTQDUpTPJ05IAsEpxeuGuuWI4bpOE0fqVgk3GGSjZS3ZbAPwXJhpeZuEaQhg6Vyp8PqYKD1906snU6aWgphMtSpo4QLOgyzRbAtGV6km58lBWKvrzrzEzYUerm44QXngw0meLTmryh33X0xHMzTSm7DGueATSlSO2lCv9E9xKomDpOZVp8tDYEL5bJflNvB3fMD2P2kUftlb8iv6VON6flwMLYrCuweFPQZ61FizEJGwJ4zpS1Mfgw5hV9BEkHhYbmuYBoLniKkB4KwPrYOHFw9IwFyKTiqIQC70RVWODc4hpjVsLsP4xeNuIASjDKj33Np4XiocvEYv8JIYTWuEffot0SKWVE8OgNQH5BL77FkLjERV";
using (var fakeRecaptchaServer = new FakeServer())
{
fakeRecaptchaServer.Start();
fakeRecaptchaServer.Expect.Get("/?secret=private_key&response=" + longAnswer)
.Returns(HttpStatusCode.OK, JsonConvert.SerializeObject(new RecaptchaVerificationResponse
{
Succeeded = true
}));
using (var server = new IdentityServerWithRecaptcha()
.WithProtectedGrantType("password")
.WithPrivateKey("private_key")
.WithVerificationUri(fakeRecaptchaServer.BaseUri)
.WithNumberOfAllowedLoginFailuresPerIpAddress(1).Build())
{
var response = await server.CreateNativeLoginRequest()
.WithUsername("jeuser")
.WithPassword("Passw0rd")
.WithRecaptchaResponseAsAcrValue(longAnswer)
.Build()
.PostAsync();
response.StatusCode.Should().Be(HttpStatusCode.OK);
var tokenResponse = await response.Content.ReadAsAsync <TokenResponseModel>();
tokenResponse.AccessToken.Should().NotBeNullOrEmpty();
}
}
}
public async Task RecaptchaResponseBody_WithDefaultChallengeType_ShouldContainExpectedRecaptchaBody()
{
using (var server = new IdentityServerWithRecaptcha()
.WithProtectedGrantType("password")
.WithNumberOfAllowedLoginFailuresPerIpAddress(NumberOfAllowedLoginFailures)
.WithFailuresForIpAddress("192.168.1.101", NumberOfAllowedLoginFailures)
.WithPublicKey("recaptcha-public-key")
.Build())
{
var response = await server.CreateNativeLoginRequest()
.WithUsername("jeuser")
.WithPassword("Passw0rd")
.WithGrantType("password")
.WithLanguageCode("es-ES")
.Build()
.PostAsync();
response.StatusCode.Should().Be(HttpStatusCode.Unauthorized);
var resource = await response.Content.ReadAsAsync <IdentityServerUnauthorizedChallengeResource>();
resource.LinkToChallenge.Should().Be("/recaptcha/platform");
resource.Description.Should().Contain("add the x-recaptcha-answer");
resource.ChallengeHtml.Should().Contain("<script src=\"https://www.google.com/recaptcha/api.js?hl=es-ES\" async defer>");
resource.ChallengeHtml.Should().Contain("<div class=\"g-recaptcha\" data-sitekey=\"recaptcha-public-key\"></div>");
}
}
public async Task RecaptchaWithInvalidRecaptchaAnswer_WithAnswerAsAcrValue_ShouldChallenge()
{
using (var fakeRecaptchaServer = new FakeServer())
{
fakeRecaptchaServer.Start();
fakeRecaptchaServer.Expect.Get("/?secret=private_key&response=correct_response")
.Returns(HttpStatusCode.OK, JsonConvert.SerializeObject(new RecaptchaVerificationResponse
{
Succeeded = false
}));
using (var server = new IdentityServerWithRecaptcha()
.WithProtectedGrantType("password")
.WithPrivateKey("private_key")
.WithVerificationUri(fakeRecaptchaServer.BaseUri)
.WithNumberOfAllowedLoginFailuresPerIpAddress(1)
.WithFailuresForIpAddress("192.168.1.101", 1).Build())
{
var response = await server.CreateNativeLoginRequest()
.WithUsername("jeuser")
.WithPassword("Passw0rd")
.WithRecaptchaResponseAsAcrValue("correct_response")
.Build()
.PostAsync();
response.StatusCode.Should().Be(HttpStatusCode.Unauthorized);
response.Headers.WwwAuthenticate.Should().Contain(h => h.Scheme == "recaptcha");
response.Headers.WwwAuthenticate.Should().Contain(h => h.Parameter == @"url=""/recaptcha/platform""");
}
}
}
public async Task RecaptchaWithValidRecaptchaAnswer_WithLongAnswerAsAcrValue_AndAllTheTrimmings_ShouldNotChallenge()
{
const string longAnswer = "03ACgFB9vknGtsjy3YCRubfh4Nk4_9j4jIaJ8q5nPO6AOu391yoMxeQctcw6-OPt5HyBGjm8B25-xrQUDD-kQjoJOrY3IBiFa5fh__YC9RVbRTPxNrGdhdUjyJxVzQE5obPE1AUPScn3gyS6iaIOxgW_wB-ttxB-0_ybk7GP6Dz-QFnrXQaYYGZEEQxLHQReku_wwiOIWV40HFEpMx_Z-LwPBKOWO3fk2p3fQsnZGCcAhnszi6DfdYJWKdBmfra6BjcJ4Tfx2Xvyn75a4CmDwS7FYp6kg_dmzN1BaLPSA26DKndbrjL3lW2ghKsaat6TTcIx23M5jvcUlzsh5QxHWd3YhmmokS_QfZa0dyuWMUJ1TisYrVOGsg6p2tCiPIm5qLLaWl1scXMgA5PLBR3cx0fNy7Q72gbkfLOQ";
using (var fakeRecaptchaServer = new FakeServer())
{
fakeRecaptchaServer.Start();
fakeRecaptchaServer.Expect.Get("/?secret=private_key&response=" + longAnswer)
.Returns(HttpStatusCode.OK, JsonConvert.SerializeObject(new RecaptchaVerificationResponse
{
Succeeded = true
}));
using (var server = new IdentityServerWithRecaptcha()
.WithProtectedGrantType("password")
.WithPrivateKey("private_key")
.WithVerificationUri(fakeRecaptchaServer.BaseUri)
.WithNumberOfAllowedLoginFailuresPerIpAddress(1).Build())
{
var response = await server.CreateNativeLoginRequest()
.WithUsername("jeuser")
.WithPassword("Passw0rd")
.WithRecaptchaResponseAsAcrValue(longAnswer)
.WithEncodedDevice("id", "type", "name", "token")
.Build()
.PostAsync();
response.StatusCode.Should().Be(HttpStatusCode.OK);
var tokenResponse = await response.Content.ReadAsAsync <TokenResponseModel>();
tokenResponse.AccessToken.Should().NotBeNullOrEmpty();
}
}
}
public async Task RecaptchaWithPlatformLevelSecurity_WithShieldsUp_ShouldChallenge()
{
using (var server = new IdentityServerWithRecaptcha()
.WithPlatformSecurityShieldsUp()
.WithProtectedGrantType("password")
.WithNumberOfAllowedLoginFailuresPerIpAddress(NumberOfAllowedLoginFailures).Build())
{
var response = await server.CreateNativeLoginRequest()
.WithUsername("jeuser")
.WithPassword("Passw0rd")
.Build()
.PostAsync();
response.StatusCode.Should().Be(HttpStatusCode.Unauthorized);
}
}
public async Task RecaptchaWithExcludedUsers_WitNonExcludedSubnet_ShouldChallenge()
{
using (var server = new IdentityServerWithRecaptcha()
.WithExcludedUsernamesMatching("randomuser")
.WithProtectedGrantType("password")
.WithNumberOfAllowedLoginFailuresPerIpAddress(1)
.WithFailuresForIpAddress("192.168.1.101", 1).Build())
{
var response = await server.CreateNativeLoginRequest()
.WithUsername("jeuser")
.WithPassword("Passw0rd")
.Build()
.PostAsync();
response.StatusCode.Should().Be(HttpStatusCode.Unauthorized);
}
}
public async Task RecaptchaWithValidCredentials_WithUnsupportedGrantType_ShouldNotChallenge()
{
using (var server = new IdentityServerWithRecaptcha()
.WithNumberOfAllowedLoginFailuresPerIpAddress(NumberOfAllowedLoginFailures).Build())
{
var response = await server.CreateNativeLoginRequest()
.WithUsername("jeuser")
.WithPassword("Passw0rd")
.Build()
.PostAsync();
response.StatusCode.Should().Be(HttpStatusCode.OK);
var tokenResponse = await response.Content.ReadAsAsync <TokenResponseModel>();
tokenResponse.AccessToken.Should().NotBeNullOrEmpty();
}
}
public async Task RecaptchaWithExcludedTenant_WitExcludedDeviceType_ShouldNotChallenge()
{
using (var server = new IdentityServerWithRecaptcha()
.WithExcludedDevicesMatching("ios")
.WithProtectedGrantType("password")
.WithNumberOfAllowedLoginFailuresPerIpAddress(1)
.WithFailuresForIpAddress("192.168.1.101", 1).Build())
{
var response = await server.CreateNativeLoginRequest()
.WithUsername("jeuser")
.WithPassword("Passw0rd")
.WithDeviceType("ios")
.Build()
.PostAsync();
response.StatusCode.Should().Be(HttpStatusCode.OK);
}
}
public async Task RecaptchaWithValidCredentials_WithBadRequestChallengeType_ShouldChallengAsBadRequest()
{
using (var server = new IdentityServerWithRecaptcha()
.WithProtectedGrantType("password")
.WithNumberOfAllowedLoginFailuresPerIpAddress(NumberOfAllowedLoginFailures)
.WithFailuresForIpAddress("192.168.1.101", NumberOfAllowedLoginFailures)
.WithChallengeAsBadRequest()
.WithNumberOfAllowedLoginFailuresPerIpAddress(NumberOfAllowedLoginFailures).Build())
{
var response = await server.CreateNativeLoginRequest()
.WithUsername("jeuser")
.WithPassword("Passw0rd")
.WithGrantType("password")
.Build()
.PostAsync();
response.StatusCode.Should().Be(HttpStatusCode.BadRequest);
}
}
public async Task RecaptchaWithValidCredentials_WithDefaultChallengeType_ShouldChallengeAsUnauthorized()
{
using (var server = new IdentityServerWithRecaptcha()
.WithProtectedGrantType("password")
.WithNumberOfAllowedLoginFailuresPerIpAddress(NumberOfAllowedLoginFailures)
.WithFailuresForIpAddress("192.168.1.101", NumberOfAllowedLoginFailures)
.Build())
{
var response = await server.CreateNativeLoginRequest()
.WithUsername("jeuser")
.WithPassword("Passw0rd")
.WithGrantType("password")
.Build()
.PostAsync();
response.StatusCode.Should().Be(HttpStatusCode.Unauthorized);
response.Headers.WwwAuthenticate.Should().Contain(h => h.Scheme == "recaptcha");
response.Headers.WwwAuthenticate.Should().Contain(h => h.Parameter == @"url=""/recaptcha/platform""");
}
}
public async Task RecaptchaResponseBody_WithDefaultClients_ShouldContainFullRecaptchaHtml()
{
using (var server = new IdentityServerWithRecaptcha()
.WithProtectedGrantType("password")
.WithNumberOfAllowedLoginFailuresPerIpAddress(NumberOfAllowedLoginFailures)
.WithFailuresForIpAddress("192.168.1.101", NumberOfAllowedLoginFailures)
.WithPublicKey("recaptcha-public-key")
.Build())
{
var response = await server.CreateNativeLoginRequest()
.WithUsername("jeuser")
.WithPassword("Passw0rd")
.WithGrantType("password")
.WithLanguageCode("es-ES")
.Build()
.PostAsync();
response.StatusCode.Should().Be(HttpStatusCode.Unauthorized);
var resource = await response.Content.ReadAsAsync <IdentityServerUnauthorizedChallengeResource>();
resource.ChallengeHtml.Should().StartWith("<!DOCTYPE html>");
}
}
public async Task RecaptchaWithValidCredentials_WithBadRequestChallengeType_ShouldContainExpectedRecaptchaBody()
{
using (var server = new IdentityServerWithRecaptcha()
.WithProtectedGrantType("password")
.WithNumberOfAllowedLoginFailuresPerIpAddress(NumberOfAllowedLoginFailures)
.WithFailuresForIpAddress("192.168.1.101", NumberOfAllowedLoginFailures)
.WithChallengeAsBadRequest()
.WithNumberOfAllowedLoginFailuresPerIpAddress(NumberOfAllowedLoginFailures).Build())
{
var response = await server.CreateNativeLoginRequest()
.WithUsername("jeuser")
.WithPassword("Passw0rd")
.WithGrantType("password")
.Build()
.PostAsync();
response.StatusCode.Should().Be(HttpStatusCode.BadRequest);
var resource = await response.Content.ReadAsAsync <IdentityServerBadRequestChallengeResource>();
resource.Message.Should().Contain("Please complete the Recaptcha");
resource.ChallengeHtml.Should().Contain("<script src=\"https://www.google.com/recaptcha/api.js?hl=en-GB\" async defer>");
}
}
