public void Can_Validate_Generated_Tokens() { using (var writer = new StringWriter()) { HttpContext.Current = new HttpContext(new HttpRequest("test.html", "http://test/", ""), new HttpResponse(writer)); string cookieToken, headerToken; AngularAntiForgeryHelper.GetTokens(out cookieToken, out headerToken); Assert.AreEqual(true, AngularAntiForgeryHelper.ValidateTokens(cookieToken, headerToken)); } }
public void Can_Validate_Generated_Tokens_With_User() { using (var writer = new StringWriter()) { HttpContext.Current = new HttpContext(new HttpRequest("test.html", "http://test/", ""), new HttpResponse(writer)) { User = new GenericPrincipal(new HttpListenerBasicIdentity("test", "test"), new string[] {}) }; string cookieToken, headerToken; AngularAntiForgeryHelper.GetTokens(out cookieToken, out headerToken); Assert.AreEqual(true, AngularAntiForgeryHelper.ValidateTokens(cookieToken, headerToken)); } }
public override void OnActionExecuting(ActionExecutingContext filterContext) { var userIdentity = filterContext.HttpContext.User.Identity as ClaimsIdentity; if (userIdentity != null) { //if there is not CookiePath claim, then exit if (userIdentity.HasClaim(x => x.Type == ClaimTypes.CookiePath) == false) { base.OnActionExecuting(filterContext); return; } } string failedReason; var headers = new List <KeyValuePair <string, List <string> > >(); foreach (var key in filterContext.HttpContext.Request.Headers.AllKeys) { if (headers.Any(x => x.Key == key)) { var found = headers.First(x => x.Key == key); found.Value.Add(filterContext.HttpContext.Request.Headers[key]); } else { headers.Add(new KeyValuePair <string, List <string> >(key, new List <string> { filterContext.HttpContext.Request.Headers[key] })); } } var cookie = filterContext.HttpContext.Request.Cookies[AngularAntiForgeryHelper.CsrfValidationCookieName]; if (AngularAntiForgeryHelper.ValidateHeaders( headers.Select(x => new KeyValuePair <string, IEnumerable <string> >(x.Key, x.Value)).ToArray(), cookie == null ? "" : cookie.Value, out failedReason) == false) { var result = new HttpStatusCodeResult(HttpStatusCode.ExpectationFailed); filterContext.Result = result; return; } base.OnActionExecuting(filterContext); }