public void FailValidationForIncorrectSecret()
{
var client = CreateClient();
var builder = new StateTokenBuilder(client, new ClientApiKeyConfiguration(id: "foo", secret: "notTheCorrectSecret987"));
builder.Path = "/hello";
var result = builder.ToString();
var parser = new StateTokenParser(client, GetApiKey(), result, null);
parser.Valid.Should().BeFalse();
parser.Path.Should().BeNull();
}
protected override async Task <bool> GetAsync(IOwinEnvironment context, IClient client, ContentNegotiationResult contentNegotiationResult,
CancellationToken cancellationToken)
{
var application = await client.GetApplicationAsync(_configuration.Application.Href, cancellationToken);
var queryString = QueryStringParser.Parse(context.Request.QueryString, _logger);
var stormpathToken = queryString.GetString("jwtResponse");
if (string.IsNullOrEmpty(stormpathToken))
{
throw new ArgumentNullException(nameof(stormpathToken), "Token was null."); // TODO json response, for now
}
// TODO: Use StormpathAssertionAuthenticator at SDK level (when it's ready) to locally validate token
try
{
var parsedJwt = client.NewJwtParser()
.SetSigningKey(_configuration.Client.ApiKey.Secret, Encoding.UTF8)
.Parse(stormpathToken);
object tokenType;
parsedJwt.Header.TryGetValue("stt", out tokenType);
if (tokenType == null || !tokenType.ToString().Equals("assertion"))
{
throw new InvalidJwtException("The token is not of the correct type");
}
// Verify state token for authenticity
string stateToken = null;
if (parsedJwt.Body.ContainsClaim("state"))
{
stateToken = parsedJwt.Body.GetClaim("state").ToString();
}
var parsedStateToken = new StateTokenParser(client, _configuration.Client.ApiKey, stateToken, _logger);
if (!parsedStateToken.Valid)
{
// Note: IsNullOrEmpty is considered invalid automatically
_logger.Warn("State token was invalid", nameof(StormpathCallbackRoute));
throw new InvalidOperationException("State token was invalid"); // TODO json response, for now
}
return(await HandleCallbackAsync(context, client, application, parsedJwt, parsedStateToken.Path, cancellationToken));
}
catch (InvalidJwtException ije)
{
_logger.Error(ije, message: "JWT failed validation", source: nameof(StormpathCallbackRoute));
throw; // TODO json response
}
}
public void RoundtripTokenWithPath()
{
var client = CreateClient();
var builder = new StateTokenBuilder(client, GetApiKey());
builder.Path = "/foo/bar/9";
var result = builder.ToString();
var parser = new StateTokenParser(client, GetApiKey(), result, null);
parser.Valid.Should().BeTrue();
parser.Path.Should().Be("/foo/bar/9");
parser.State.Should().NotBeNullOrEmpty();
}