public async Task InvalidCookieToken_Throws() { // Arrange var server = TestHelper.CreateServer(_app, SiteName, _configureServices); var client = server.CreateClient(); var getResponse = await client.GetAsync("http://localhost/Account/Login"); var responseBody = await getResponse.Content.ReadAsStringAsync(); var formToken = AntiforgeryTestHelper.RetrieveAntiforgeryToken(responseBody, "Account/Login"); var cookieToken = AntiforgeryTestHelper.RetrieveAntiforgeryCookie(getResponse); var request = new HttpRequestMessage(HttpMethod.Post, "http://localhost/Account/Login"); request.Headers.Add("Cookie", cookieToken.Key + "=invalidCookie"); var nameValueCollection = new List <KeyValuePair <string, string> > { new KeyValuePair <string, string>("__RequestVerificationToken", formToken), new KeyValuePair <string, string>("UserName", "abra"), new KeyValuePair <string, string>("Password", "cadabra"), }; request.Content = new FormUrlEncodedContent(nameValueCollection); // Act var response = await client.SendAsync(request); // Assert var exception = response.GetServerException(); Assert.Equal("The antiforgery token could not be decrypted.", exception.ExceptionMessage); }
public async Task MultipleFormPostWithingASingleView_AreAllowed() { // Arrange var server = TestHelper.CreateServer(_app, SiteName, _configureServices); var client = server.CreateClient(); // do a get response. var getResponse = await client.GetAsync("http://localhost/Account/Login"); var responseBody = await getResponse.Content.ReadAsStringAsync(); // Get the AF token for the second login. If the cookies are generated twice(i.e are different), // this AF token will not work with the first cookie. var formToken = AntiforgeryTestHelper.RetrieveAntiforgeryToken(responseBody, "Account/UseFacebookLogin"); var cookieToken = AntiforgeryTestHelper.RetrieveAntiforgeryCookie(getResponse); var request = new HttpRequestMessage(HttpMethod.Post, "http://localhost/Account/Login"); request.Headers.Add("Cookie", cookieToken.Key + "=" + cookieToken.Value); var nameValueCollection = new List <KeyValuePair <string, string> > { new KeyValuePair <string, string>("__RequestVerificationToken", formToken), new KeyValuePair <string, string>("UserName", "abra"), new KeyValuePair <string, string>("Password", "cadabra"), }; request.Content = new FormUrlEncodedContent(nameValueCollection); // Act var response = await client.SendAsync(request); // Assert Assert.Equal(HttpStatusCode.OK, response.StatusCode); Assert.Equal("OK", await response.Content.ReadAsStringAsync()); }
public async Task SetCookieAndHeaderBeforeFlushAsync_PostToForm() { // Arrange var server = TestHelper.CreateServer(_app, SiteName, _configureServices); var client = server.CreateClient(); // do a get response. var getResponse = await client.GetAsync("http://localhost/Account/FlushAsyncLogin"); var responseBody = await getResponse.Content.ReadAsStringAsync(); var formToken = AntiforgeryTestHelper.RetrieveAntiforgeryToken(responseBody, "Account/FlushAsyncLogin"); var cookieToken = AntiforgeryTestHelper.RetrieveAntiforgeryCookie(getResponse); var request = new HttpRequestMessage(HttpMethod.Post, "http://localhost/Account/FlushAsyncLogin"); request.Headers.Add("Cookie", cookieToken.Key + "=" + cookieToken.Value); var nameValueCollection = new List <KeyValuePair <string, string> > { new KeyValuePair <string, string>("__RequestVerificationToken", formToken), new KeyValuePair <string, string>("UserName", "test"), new KeyValuePair <string, string>("Password", "password"), }; request.Content = new FormUrlEncodedContent(nameValueCollection); // Act var response = await client.SendAsync(request); // Assert Assert.Equal(HttpStatusCode.OK, response.StatusCode); Assert.Equal("OK", await response.Content.ReadAsStringAsync()); }
public async Task MissingAFToken_Throws() { // Arrange var getResponse = await Client.GetAsync("http://localhost/Account/Login"); var responseBody = await getResponse.Content.ReadAsStringAsync(); var cookieToken = AntiforgeryTestHelper.RetrieveAntiforgeryCookie(getResponse); var request = new HttpRequestMessage(HttpMethod.Post, "http://localhost/Account/Login"); request.Headers.Add("Cookie", cookieToken.Key + "=" + cookieToken.Value); var nameValueCollection = new List <KeyValuePair <string, string> > { new KeyValuePair <string, string>("UserName", "abra"), new KeyValuePair <string, string>("Password", "cadabra"), }; request.Content = new FormUrlEncodedContent(nameValueCollection); // Act var response = await Client.SendAsync(request); // Assert var exception = response.GetServerException(); Assert.Equal("The required antiforgery form field \"__RequestVerificationToken\" is not present.", exception.ExceptionMessage); }
public async Task IncompatibleCookieToken_Throws() { // Arrange var server = TestHelper.CreateServer(_app, SiteName, _configureServices); var client = server.CreateClient(); // do a get response. // We do two requests to get two different sets of antiforgery cookie and token values. var getResponse1 = await client.GetAsync("http://localhost/Account/Login"); var responseBody1 = await getResponse1.Content.ReadAsStringAsync(); var formToken1 = AntiforgeryTestHelper.RetrieveAntiforgeryToken(responseBody1, "Account/Login"); var getResponse2 = await client.GetAsync("http://localhost/Account/Login"); var responseBody2 = await getResponse2.Content.ReadAsStringAsync(); var cookieToken2 = AntiforgeryTestHelper.RetrieveAntiforgeryCookie(getResponse2); var cookieToken = cookieToken2.Value; var request = new HttpRequestMessage(HttpMethod.Post, "http://localhost/Account/Login"); request.Headers.Add("Cookie", string.Format("{0}={1}", cookieToken2.Key, cookieToken2.Value)); var formToken = formToken1; var nameValueCollection = new List <KeyValuePair <string, string> > { new KeyValuePair <string, string>("__RequestVerificationToken", formToken), new KeyValuePair <string, string>("UserName", "abra"), new KeyValuePair <string, string>("Password", "cadabra"), }; request.Content = new FormUrlEncodedContent(nameValueCollection); // Act var response = await client.SendAsync(request); // Assert var exception = response.GetServerException(); Assert.Equal("The antiforgery cookie token and form field token do not match.", exception.ExceptionMessage); }