public void Can_Validate_Generated_Tokens()
{
using (var writer = new StringWriter())
{
HttpContext.Current = new HttpContext(new HttpRequest("test.html", "http://test/", ""), new HttpResponse(writer));
string cookieToken, headerToken;
AngularAntiForgeryHelper.GetTokens(out cookieToken, out headerToken);
Assert.AreEqual(true, AngularAntiForgeryHelper.ValidateTokens(cookieToken, headerToken));
}
}
public void Can_Validate_Generated_Tokens_With_User()
{
using (var writer = new StringWriter())
{
HttpContext.Current = new HttpContext(new HttpRequest("test.html", "http://test/", ""), new HttpResponse(writer))
{
User = new GenericPrincipal(new HttpListenerBasicIdentity("test", "test"), new string[] {})
};
string cookieToken, headerToken;
AngularAntiForgeryHelper.GetTokens(out cookieToken, out headerToken);
Assert.AreEqual(true, AngularAntiForgeryHelper.ValidateTokens(cookieToken, headerToken));
}
}
public override void OnActionExecuting(ActionExecutingContext filterContext)
{
var userIdentity = filterContext.HttpContext.User.Identity as ClaimsIdentity;
if (userIdentity != null)
{
//if there is not CookiePath claim, then exit
if (userIdentity.HasClaim(x => x.Type == ClaimTypes.CookiePath) == false)
{
base.OnActionExecuting(filterContext);
return;
}
}
string failedReason;
var headers = new List <KeyValuePair <string, List <string> > >();
foreach (var key in filterContext.HttpContext.Request.Headers.AllKeys)
{
if (headers.Any(x => x.Key == key))
{
var found = headers.First(x => x.Key == key);
found.Value.Add(filterContext.HttpContext.Request.Headers[key]);
}
else
{
headers.Add(new KeyValuePair <string, List <string> >(key, new List <string> {
filterContext.HttpContext.Request.Headers[key]
}));
}
}
var cookie = filterContext.HttpContext.Request.Cookies[AngularAntiForgeryHelper.CsrfValidationCookieName];
if (AngularAntiForgeryHelper.ValidateHeaders(
headers.Select(x => new KeyValuePair <string, IEnumerable <string> >(x.Key, x.Value)).ToArray(),
cookie == null ? "" : cookie.Value,
out failedReason) == false)
{
var result = new HttpStatusCodeResult(HttpStatusCode.ExpectationFailed);
filterContext.Result = result;
return;
}
base.OnActionExecuting(filterContext);
}
