public void OwinDataHandler(SecureDataFormat <AuthenticationProperties> secure)
{
AuthenticationProperties props = new AuthenticationProperties();
string secured = secure.Protect(props);
AuthenticationProperties unsecured = secure.Unprotect(secured);
byte[] decoded = new byte[10];
}
public void ProtectDataRoundTrips()
{
var provider = ServiceProvider.GetRequiredService <IDataProtectionProvider>();
var prototector = provider.CreateProtector("test");
var secureDataFormat = new SecureDataFormat <string>(new StringSerializer(), prototector);
string input = "abcdefghijklmnopqrstuvwxyz0123456789";
var protectedData = secureDataFormat.Protect(input);
var result = secureDataFormat.Unprotect(protectedData);
Assert.Equal(input, result);
}
public void OwinDataHandler(ITextEncoder encoder, SecureDataFormat <AuthenticationProperties> secure)
{
AuthenticationProperties props = new AuthenticationProperties();
string secured = secure.Protect(props);
AuthenticationProperties unsecured = secure.Unprotect(secured);
byte[] decoded = new byte[10];
string encoded = encoder.Encode(decoded);
decoded = encoder.Decode(encoded);
}
public void UnprotectWithDifferentPurposeFails()
{
var provider = ServiceProvider.GetRequiredService <IDataProtectionProvider>();
var prototector = provider.CreateProtector("test");
var secureDataFormat = new SecureDataFormat <string>(new StringSerializer(), prototector);
string input = "abcdefghijklmnopqrstuvwxyz0123456789";
string purpose = "purpose1";
var protectedData = secureDataFormat.Protect(input, purpose);
var result = secureDataFormat.Unprotect(protectedData); // Null other purpose
Assert.Null(result);
result = secureDataFormat.Unprotect(protectedData, "purpose2");
Assert.Null(result);
}
public async Task CanFetchUserDetails()
{
var verifyCredentialsEndpoint = "https://api.twitter.com/1.1/account/verify_credentials.json";
var finalVerifyCredentialsEndpoint = string.Empty;
var finalAuthorizationParameter = string.Empty;
var stateFormat = new SecureDataFormat <RequestToken>(new RequestTokenSerializer(), new EphemeralDataProtectionProvider(NullLoggerFactory.Instance).CreateProtector("TwitterTest"));
using var host = await CreateHost((options) =>
{
options.ConsumerKey = "Test App Id";
options.ConsumerSecret = "PLACEHOLDER";
options.RetrieveUserDetails = true;
options.StateDataFormat = stateFormat;
options.BackchannelHttpHandler = new TestHttpMessageHandler
{
Sender = req =>
{
if (req.RequestUri.GetComponents(UriComponents.SchemeAndServer | UriComponents.Path, UriFormat.UriEscaped) == "https://api.twitter.com/oauth/access_token")
{
var res = new HttpResponseMessage(HttpStatusCode.OK);
var content = new Dictionary <string, string>()
{
["oauth_token"] = "Test Access Token",
["oauth_token_secret"] = "PLACEHOLDER",
["user_id"] = "123456",
["screen_name"] = "@dotnet"
};
res.Content = new FormUrlEncodedContent(content);
return(res);
}
if (req.RequestUri.GetComponents(UriComponents.SchemeAndServer | UriComponents.Path, UriFormat.UriEscaped) ==
new Uri(verifyCredentialsEndpoint).GetComponents(UriComponents.SchemeAndServer | UriComponents.Path, UriFormat.UriEscaped))
{
finalVerifyCredentialsEndpoint = req.RequestUri.ToString();
finalAuthorizationParameter = req.Headers.Authorization.Parameter;
var res = new HttpResponseMessage(HttpStatusCode.OK);
var graphResponse = "{ \"email\": \"Test email\" }";
res.Content = new StringContent(graphResponse, Encoding.UTF8);
return(res);
}
return(null);
}
};
});
var token = new RequestToken()
{
Token = "TestToken",
TokenSecret = "PLACEHOLDER",
Properties = new()
};
var correlationKey = ".xsrf";
var correlationValue = "TestCorrelationId";
token.Properties.Items.Add(correlationKey, correlationValue);
token.Properties.RedirectUri = "/me";
var state = stateFormat.Protect(token);
using var server = host.GetTestServer();
var transaction = await server.SendAsync(
"https://example.com/signin-twitter?oauth_token=TestToken&oauth_verifier=TestVerifier",
$".AspNetCore.Correlation.{correlationValue}=N;__TwitterState={UrlEncoder.Default.Encode(state)}");
Assert.Equal(HttpStatusCode.Redirect, transaction.Response.StatusCode);
Assert.Equal("/me", transaction.Response.Headers.GetValues("Location").First());
Assert.Equal(1, finalVerifyCredentialsEndpoint.Count(c => c == '?'));
Assert.Contains("include_email=true", finalVerifyCredentialsEndpoint);
Assert.Contains("oauth_consumer_key=", finalAuthorizationParameter);
Assert.Contains("oauth_nonce=", finalAuthorizationParameter);
Assert.Contains("oauth_signature=", finalAuthorizationParameter);
Assert.Contains("oauth_signature_method=", finalAuthorizationParameter);
Assert.Contains("oauth_timestamp=", finalAuthorizationParameter);
Assert.Contains("oauth_token=", finalAuthorizationParameter);
Assert.Contains("oauth_version=", finalAuthorizationParameter);
var authCookie = transaction.AuthenticationCookieValue;
transaction = await server.SendAsync("https://example.com/me", authCookie);
Assert.Equal(HttpStatusCode.OK, transaction.Response.StatusCode);
var expectedIssuer = TwitterDefaults.AuthenticationScheme;
Assert.Equal("@dotnet", transaction.FindClaimValue(ClaimTypes.Name, expectedIssuer));
Assert.Equal("123456", transaction.FindClaimValue(ClaimTypes.NameIdentifier, expectedIssuer));
Assert.Equal("123456", transaction.FindClaimValue("urn:twitter:userid", expectedIssuer));
Assert.Equal("@dotnet", transaction.FindClaimValue("urn:twitter:screenname", expectedIssuer));
Assert.Equal("Test email", transaction.FindClaimValue(ClaimTypes.Email, expectedIssuer));
}
public async Task CanSignIn()
{
var stateFormat = new SecureDataFormat <RequestToken>(new RequestTokenSerializer(), new EphemeralDataProtectionProvider(NullLoggerFactory.Instance).CreateProtector("TwitterTest"));
using var host = await CreateHost((options) =>
{
options.ConsumerKey = "Test App Id";
options.ConsumerSecret = "PLACEHOLDER";
options.SaveTokens = true;
options.StateDataFormat = stateFormat;
options.BackchannelHttpHandler = new TestHttpMessageHandler
{
Sender = req =>
{
if (req.RequestUri.GetComponents(UriComponents.SchemeAndServer | UriComponents.Path, UriFormat.UriEscaped) == "https://api.twitter.com/oauth/access_token")
{
var res = new HttpResponseMessage(HttpStatusCode.OK);
var content = new Dictionary <string, string>()
{
["oauth_token"] = "Test Access Token",
["oauth_token_secret"] = "PLACEHOLDER",
["user_id"] = "123456",
["screen_name"] = "@dotnet"
};
res.Content = new FormUrlEncodedContent(content);
return(res);
}
return(null);
}
};
});
var token = new RequestToken()
{
Token = "TestToken",
TokenSecret = "PLACEHOLDER",
Properties = new()
};
var correlationKey = ".xsrf";
var correlationValue = "TestCorrelationId";
token.Properties.Items.Add(correlationKey, correlationValue);
token.Properties.RedirectUri = "/me";
var state = stateFormat.Protect(token);
using var server = host.GetTestServer();
var transaction = await server.SendAsync(
"https://example.com/signin-twitter?oauth_token=TestToken&oauth_verifier=TestVerifier",
$".AspNetCore.Correlation.{correlationValue}=N;__TwitterState={UrlEncoder.Default.Encode(state)}");
Assert.Equal(HttpStatusCode.Redirect, transaction.Response.StatusCode);
Assert.Equal("/me", transaction.Response.Headers.GetValues("Location").First());
var authCookie = transaction.AuthenticationCookieValue;
transaction = await server.SendAsync("https://example.com/me", authCookie);
Assert.Equal(HttpStatusCode.OK, transaction.Response.StatusCode);
var expectedIssuer = TwitterDefaults.AuthenticationScheme;
Assert.Equal("@dotnet", transaction.FindClaimValue(ClaimTypes.Name, expectedIssuer));
Assert.Equal("123456", transaction.FindClaimValue(ClaimTypes.NameIdentifier, expectedIssuer));
Assert.Equal("123456", transaction.FindClaimValue("urn:twitter:userid", expectedIssuer));
Assert.Equal("@dotnet", transaction.FindClaimValue("urn:twitter:screenname", expectedIssuer));
transaction = await server.SendAsync("https://example.com/tokens", authCookie);
Assert.Equal(HttpStatusCode.OK, transaction.Response.StatusCode);
Assert.Equal("Test Access Token", transaction.FindTokenValue("access_token"));
Assert.Equal("PLACEHOLDER", transaction.FindTokenValue("access_token_secret"));
}