Esempio n. 1
0
        public void OwinDataHandler(SecureDataFormat <AuthenticationProperties> secure)
        {
            AuthenticationProperties props = new AuthenticationProperties();

            string secured = secure.Protect(props);
            AuthenticationProperties unsecured = secure.Unprotect(secured);

            byte[] decoded = new byte[10];
        }
        public void ProtectDataRoundTrips()
        {
            var provider         = ServiceProvider.GetRequiredService <IDataProtectionProvider>();
            var prototector      = provider.CreateProtector("test");
            var secureDataFormat = new SecureDataFormat <string>(new StringSerializer(), prototector);

            string input         = "abcdefghijklmnopqrstuvwxyz0123456789";
            var    protectedData = secureDataFormat.Protect(input);
            var    result        = secureDataFormat.Unprotect(protectedData);

            Assert.Equal(input, result);
        }
Esempio n. 3
0
        public void OwinDataHandler(ITextEncoder encoder, SecureDataFormat <AuthenticationProperties> secure)
        {
            AuthenticationProperties props = new AuthenticationProperties();

            string secured = secure.Protect(props);
            AuthenticationProperties unsecured = secure.Unprotect(secured);

            byte[] decoded = new byte[10];
            string encoded = encoder.Encode(decoded);

            decoded = encoder.Decode(encoded);
        }
        public void UnprotectWithDifferentPurposeFails()
        {
            var provider         = ServiceProvider.GetRequiredService <IDataProtectionProvider>();
            var prototector      = provider.CreateProtector("test");
            var secureDataFormat = new SecureDataFormat <string>(new StringSerializer(), prototector);

            string input         = "abcdefghijklmnopqrstuvwxyz0123456789";
            string purpose       = "purpose1";
            var    protectedData = secureDataFormat.Protect(input, purpose);
            var    result        = secureDataFormat.Unprotect(protectedData); // Null other purpose

            Assert.Null(result);

            result = secureDataFormat.Unprotect(protectedData, "purpose2");
            Assert.Null(result);
        }
Esempio n. 5
0
    public async Task CanFetchUserDetails()
    {
        var verifyCredentialsEndpoint      = "https://api.twitter.com/1.1/account/verify_credentials.json";
        var finalVerifyCredentialsEndpoint = string.Empty;
        var finalAuthorizationParameter    = string.Empty;
        var stateFormat = new SecureDataFormat <RequestToken>(new RequestTokenSerializer(), new EphemeralDataProtectionProvider(NullLoggerFactory.Instance).CreateProtector("TwitterTest"));

        using var host = await CreateHost((options) =>
        {
            options.ConsumerKey            = "Test App Id";
            options.ConsumerSecret         = "PLACEHOLDER";
            options.RetrieveUserDetails    = true;
            options.StateDataFormat        = stateFormat;
            options.BackchannelHttpHandler = new TestHttpMessageHandler
            {
                Sender = req =>
                {
                    if (req.RequestUri.GetComponents(UriComponents.SchemeAndServer | UriComponents.Path, UriFormat.UriEscaped) == "https://api.twitter.com/oauth/access_token")
                    {
                        var res     = new HttpResponseMessage(HttpStatusCode.OK);
                        var content = new Dictionary <string, string>()
                        {
                            ["oauth_token"]        = "Test Access Token",
                            ["oauth_token_secret"] = "PLACEHOLDER",
                            ["user_id"]            = "123456",
                            ["screen_name"]        = "@dotnet"
                        };
                        res.Content = new FormUrlEncodedContent(content);
                        return(res);
                    }
                    if (req.RequestUri.GetComponents(UriComponents.SchemeAndServer | UriComponents.Path, UriFormat.UriEscaped) ==
                        new Uri(verifyCredentialsEndpoint).GetComponents(UriComponents.SchemeAndServer | UriComponents.Path, UriFormat.UriEscaped))
                    {
                        finalVerifyCredentialsEndpoint = req.RequestUri.ToString();
                        finalAuthorizationParameter    = req.Headers.Authorization.Parameter;
                        var res           = new HttpResponseMessage(HttpStatusCode.OK);
                        var graphResponse = "{ \"email\": \"Test email\" }";
                        res.Content       = new StringContent(graphResponse, Encoding.UTF8);
                        return(res);
                    }
                    return(null);
                }
            };
        });

        var token = new RequestToken()
        {
            Token       = "TestToken",
            TokenSecret = "PLACEHOLDER",
            Properties  = new()
        };

        var correlationKey   = ".xsrf";
        var correlationValue = "TestCorrelationId";

        token.Properties.Items.Add(correlationKey, correlationValue);
        token.Properties.RedirectUri = "/me";
        var state = stateFormat.Protect(token);

        using var server = host.GetTestServer();
        var transaction = await server.SendAsync(
            "https://example.com/signin-twitter?oauth_token=TestToken&oauth_verifier=TestVerifier",
            $".AspNetCore.Correlation.{correlationValue}=N;__TwitterState={UrlEncoder.Default.Encode(state)}");

        Assert.Equal(HttpStatusCode.Redirect, transaction.Response.StatusCode);
        Assert.Equal("/me", transaction.Response.Headers.GetValues("Location").First());

        Assert.Equal(1, finalVerifyCredentialsEndpoint.Count(c => c == '?'));
        Assert.Contains("include_email=true", finalVerifyCredentialsEndpoint);

        Assert.Contains("oauth_consumer_key=", finalAuthorizationParameter);
        Assert.Contains("oauth_nonce=", finalAuthorizationParameter);
        Assert.Contains("oauth_signature=", finalAuthorizationParameter);
        Assert.Contains("oauth_signature_method=", finalAuthorizationParameter);
        Assert.Contains("oauth_timestamp=", finalAuthorizationParameter);
        Assert.Contains("oauth_token=", finalAuthorizationParameter);
        Assert.Contains("oauth_version=", finalAuthorizationParameter);

        var authCookie = transaction.AuthenticationCookieValue;

        transaction = await server.SendAsync("https://example.com/me", authCookie);

        Assert.Equal(HttpStatusCode.OK, transaction.Response.StatusCode);
        var expectedIssuer = TwitterDefaults.AuthenticationScheme;

        Assert.Equal("@dotnet", transaction.FindClaimValue(ClaimTypes.Name, expectedIssuer));
        Assert.Equal("123456", transaction.FindClaimValue(ClaimTypes.NameIdentifier, expectedIssuer));
        Assert.Equal("123456", transaction.FindClaimValue("urn:twitter:userid", expectedIssuer));
        Assert.Equal("@dotnet", transaction.FindClaimValue("urn:twitter:screenname", expectedIssuer));
        Assert.Equal("Test email", transaction.FindClaimValue(ClaimTypes.Email, expectedIssuer));
    }
Esempio n. 6
0
    public async Task CanSignIn()
    {
        var stateFormat = new SecureDataFormat <RequestToken>(new RequestTokenSerializer(), new EphemeralDataProtectionProvider(NullLoggerFactory.Instance).CreateProtector("TwitterTest"));

        using var host = await CreateHost((options) =>
        {
            options.ConsumerKey            = "Test App Id";
            options.ConsumerSecret         = "PLACEHOLDER";
            options.SaveTokens             = true;
            options.StateDataFormat        = stateFormat;
            options.BackchannelHttpHandler = new TestHttpMessageHandler
            {
                Sender = req =>
                {
                    if (req.RequestUri.GetComponents(UriComponents.SchemeAndServer | UriComponents.Path, UriFormat.UriEscaped) == "https://api.twitter.com/oauth/access_token")
                    {
                        var res     = new HttpResponseMessage(HttpStatusCode.OK);
                        var content = new Dictionary <string, string>()
                        {
                            ["oauth_token"]        = "Test Access Token",
                            ["oauth_token_secret"] = "PLACEHOLDER",
                            ["user_id"]            = "123456",
                            ["screen_name"]        = "@dotnet"
                        };
                        res.Content = new FormUrlEncodedContent(content);
                        return(res);
                    }
                    return(null);
                }
            };
        });

        var token = new RequestToken()
        {
            Token       = "TestToken",
            TokenSecret = "PLACEHOLDER",
            Properties  = new()
        };

        var correlationKey   = ".xsrf";
        var correlationValue = "TestCorrelationId";

        token.Properties.Items.Add(correlationKey, correlationValue);
        token.Properties.RedirectUri = "/me";
        var state = stateFormat.Protect(token);

        using var server = host.GetTestServer();
        var transaction = await server.SendAsync(
            "https://example.com/signin-twitter?oauth_token=TestToken&oauth_verifier=TestVerifier",
            $".AspNetCore.Correlation.{correlationValue}=N;__TwitterState={UrlEncoder.Default.Encode(state)}");

        Assert.Equal(HttpStatusCode.Redirect, transaction.Response.StatusCode);
        Assert.Equal("/me", transaction.Response.Headers.GetValues("Location").First());

        var authCookie = transaction.AuthenticationCookieValue;

        transaction = await server.SendAsync("https://example.com/me", authCookie);

        Assert.Equal(HttpStatusCode.OK, transaction.Response.StatusCode);
        var expectedIssuer = TwitterDefaults.AuthenticationScheme;

        Assert.Equal("@dotnet", transaction.FindClaimValue(ClaimTypes.Name, expectedIssuer));
        Assert.Equal("123456", transaction.FindClaimValue(ClaimTypes.NameIdentifier, expectedIssuer));
        Assert.Equal("123456", transaction.FindClaimValue("urn:twitter:userid", expectedIssuer));
        Assert.Equal("@dotnet", transaction.FindClaimValue("urn:twitter:screenname", expectedIssuer));

        transaction = await server.SendAsync("https://example.com/tokens", authCookie);

        Assert.Equal(HttpStatusCode.OK, transaction.Response.StatusCode);
        Assert.Equal("Test Access Token", transaction.FindTokenValue("access_token"));
        Assert.Equal("PLACEHOLDER", transaction.FindTokenValue("access_token_secret"));
    }