public void GivenSomeTokenWithNoExtraData_ThrowsIfTokenInvalid()
{
// Arrange.
var antiForgery = new AntiForgery();
var guid = Guid.NewGuid();
var token = guid.ToString();
// Act/Assert.
Assert.Throws <AuthenticationException>(() => antiForgery.ValidateToken(token, "YOU'VE BEEN HAXED SUCKA!"));
}
public void GivenSomeTokenWithExtraData_ThrowsIfTokenInvalid()
{
// Arrange.
const string expectedExtraData = "/abc/123";
var antiForgery = new AntiForgery();
var guid = Guid.NewGuid();
var token = guid.ToString();
string kept = String.Format("{0}|{1}", token, Convert.ToBase64String(Encoding.UTF8.GetBytes(expectedExtraData)));
// Act/Assert.
Assert.Throws <AuthenticationException>(() => antiForgery.ValidateToken(token, "YOU'VE BEEN HAXED SUCKA!"));
}
public void GivenSomeTokenWithNoExtraData_ReturnsNullIfTokenValid()
{
// Arrange.
var antiForgery = new AntiForgery();
var guid = Guid.NewGuid();
var token = guid.ToString();
// Act.
var result = antiForgery.ValidateToken(token, token);
// Assert.
Assert.Null(result);
}
public void GivenSomeBadExtraData_ValidateToken_ReturnsABaddaBingBaddaBoom()
{
// Arrange.
var antiForgery = new AntiForgery();
const string badToken = "MultiPass|Bzzzzzt";
// Act.
var result = Assert.Throws <FormatException>(() => antiForgery.ValidateToken(badToken, "MultiPass"));
// Assert.
Assert.NotNull(result);
Assert.Equal("Invalid length for a Base-64 char array or string.", result.Message);
}
public void GivenSomeTokenWithExtraData_ReturnsExtraDataIfTokenValid()
{
// Arrange.
const string expectedExtraData = "/abc/123";
var antiForgery = new AntiForgery();
var guid = Guid.NewGuid();
var token = guid.ToString();
string kept = String.Format("{0}|{1}", token, Convert.ToBase64String(Encoding.UTF8.GetBytes(expectedExtraData)));
// Act.
var actualExtraData = antiForgery.ValidateToken(kept, token);
// Assert.
Assert.Equal(expectedExtraData, actualExtraData);
}
public ActionResult AuthenticateCallback(string providerkey)
{
if (string.IsNullOrEmpty(providerkey))
{
throw new ArgumentException("No provider key was supplied on the callback.");
}
// Determine which settings we need, based on the Provider.
var settings = AuthenticationService.GetAuthenticateServiceSettings(providerkey, Request.Url,
Url.CallbackFromOAuthProvider());
// Pull the "ToKeep" token from the cookie and the "ToSend" token from the query string
var keptToken = DeserializeToken(Request);
var recievedToken = Request.QueryString["state"];
if (string.IsNullOrEmpty(recievedToken))
{
throw new InvalidOperationException(
"No state/recievedToken was retrieved from the provider. Are you sure you passed any state/token data to provider .. and .. that the provider can send it back to us? We need this to prevent any Cross site request forgery.");
}
// Validate the token against the recieved one and grab extra data
string extraData = AntiForgery.ValidateToken(keptToken, recievedToken);
var model = new AuthenticateCallbackViewModel();
try
{
// Grab the authenticated client information.
model.AuthenticatedClient = AuthenticationService.GetAuthenticatedClient(settings, Request.QueryString);
}
catch (Exception exception)
{
model.Exception = exception;
}
// If we have a redirect Url, lets grab this :)
// NOTE: We've implimented the extraData part of the tokenData as the redirect url.
if (!string.IsNullOrEmpty(extraData))
{
model.RedirectUrl = new Uri(extraData);
}
// Finally! We can hand over the logic to the consumer to do whatever they want.
return(View("AuthenticateCallback", model));
}