public DefaultAntiforgeryTokenStore( [NotNull] IOptions<AntiforgeryOptions> optionsAccessor, [NotNull] IAntiforgeryTokenSerializer tokenSerializer) { _options = optionsAccessor.Options; _tokenSerializer = tokenSerializer; }
public void GetCookieToken_CookieDoesNotExist_ReturnsNull() { // Arrange var requestCookies = new Mock<IReadableStringCollection>(); requestCookies .Setup(o => o[It.IsAny<string>()]) .Returns(string.Empty); var mockHttpContext = new Mock<HttpContext>(); mockHttpContext .Setup(o => o.Request.Cookies) .Returns(requestCookies.Object); var contextAccessor = new DefaultAntiforgeryContextAccessor(); mockHttpContext.SetupGet(o => o.RequestServices) .Returns(GetServiceProvider(contextAccessor)); var options = new AntiforgeryOptions() { CookieName = _cookieName }; var tokenStore = new DefaultAntiforgeryTokenStore( optionsAccessor: new TestOptionsManager(options), tokenSerializer: Mock.Of<IAntiforgeryTokenSerializer>()); // Act var token = tokenStore.GetCookieToken(mockHttpContext.Object); // Assert Assert.Null(token); }
public void GenerateFormToken_AuthenticatedWithoutUsernameAndNoAdditionalData_NoAdditionalData() { // Arrange var cookieToken = new AntiforgeryToken() { IsSessionToken = true }; var httpContext = new DefaultHttpContext(); httpContext.User = new ClaimsPrincipal(new MyAuthenticatedIdentityWithoutUsername()); var options = new AntiforgeryOptions(); var claimUidExtractor = new Mock<IClaimUidExtractor>().Object; var tokenProvider = new DefaultAntiforgeryTokenGenerator( claimUidExtractor: claimUidExtractor, additionalDataProvider: null); // Act & assert var exception = Assert.Throws<InvalidOperationException>( () => tokenProvider.GenerateFormToken(httpContext, cookieToken)); Assert.Equal( "The provided identity of type " + $"'{typeof(MyAuthenticatedIdentityWithoutUsername).FullName}' " + "is marked IsAuthenticated = true but does not have a value for Name. " + "By default, the antiforgery system requires that all authenticated identities have a unique Name. " + "If it is not possible to provide a unique Name for this identity, " + "consider extending IAntiforgeryAdditionalDataProvider by overriding the " + "DefaultAntiforgeryAdditionalDataProvider " + "or a custom type that can provide some form of unique identifier for the current user.", exception.Message); }
public void GetCookieToken_CookieIsMissingInRequest_LooksUpCookieInAntiforgeryContext() { // Arrange var requestCookies = new Mock<IReadableStringCollection>(); requestCookies .Setup(o => o[It.IsAny<string>()]) .Returns(string.Empty); var mockHttpContext = new Mock<HttpContext>(); mockHttpContext .Setup(o => o.Request.Cookies) .Returns(requestCookies.Object); var contextAccessor = new DefaultAntiforgeryContextAccessor(); mockHttpContext.SetupGet(o => o.RequestServices) .Returns(GetServiceProvider(contextAccessor)); // add a cookie explicitly. var cookie = new AntiforgeryToken(); contextAccessor.Value = new AntiforgeryContext() { CookieToken = cookie }; var options = new AntiforgeryOptions() { CookieName = _cookieName }; var tokenStore = new DefaultAntiforgeryTokenStore( optionsAccessor: new TestOptionsManager(options), tokenSerializer: Mock.Of<IAntiforgeryTokenSerializer>()); // Act var token = tokenStore.GetCookieToken(mockHttpContext.Object); // Assert Assert.Equal(cookie, token); }
public AntiforgeryTokenStore( IOptions<AntiforgeryOptions> optionsAccessor, IAntiforgeryTokenSerializer tokenSerializer) { this.tokenStore = new DefaultAntiforgeryTokenStore(optionsAccessor, tokenSerializer); this.options = optionsAccessor.Value; }
public FormPostSampleMiddleware( RequestDelegate next, IAntiforgery antiforgery, IOptions<AntiforgeryOptions> options) { _next = next; _antiforgery = antiforgery; _options = options.Value; }
public DefaultAntiforgery( IOptions<AntiforgeryOptions> antiforgeryOptionsAccessor, IAntiforgeryTokenGenerator tokenGenerator, IAntiforgeryTokenSerializer tokenSerializer, IAntiforgeryTokenStore tokenStore, IHtmlEncoder htmlEncoder) { _options = antiforgeryOptionsAccessor.Options; _tokenGenerator = tokenGenerator; _tokenSerializer = tokenSerializer; _tokenStore = tokenStore; _htmlEncoder = htmlEncoder; }
public override void OnActionExecuting(ActionExecutingContext context) { string cookieToken = ""; string formToken = ""; string[] tokenHeaders; tokenHeaders = context.HttpContext.Request.Headers["__RequestVerificationToken"]; string[] tokens = tokenHeaders.First().Split(':'); cookieToken = tokens[0].Trim(); formToken = tokens[0].Trim(); var token = new Microsoft.AspNet.Antiforgery.AntiforgeryOptions(); base.OnActionExecuting(context); }
public DefaultAntiforgeryTokenStore( IOptions<AntiforgeryOptions> optionsAccessor, IAntiforgeryTokenSerializer tokenSerializer) { if (optionsAccessor == null) { throw new ArgumentNullException(nameof(optionsAccessor)); } if (tokenSerializer == null) { throw new ArgumentNullException(nameof(tokenSerializer)); } _options = optionsAccessor.Value; _tokenSerializer = tokenSerializer; }
public void ChecksSSL_GetAndStoreTokens_Throws() { // Arrange var httpContext = new DefaultHttpContext(); var options = new AntiforgeryOptions() { RequireSsl = true }; var antiforgery = GetAntiforgery(options); // Act & Assert var exception = Assert.Throws <InvalidOperationException>( () => antiforgery.GetAndStoreTokens(httpContext)); Assert.Equal( @"The antiforgery system has the configuration value AntiforgeryOptions.RequireSsl = true, " + "but the current request is not an SSL request.", exception.Message); }
public void GetHtml_ExistingValidCookieToken_GeneratesAnAntiforgeryToken() { // Arrange var options = new AntiforgeryOptions() { FormFieldName = "form-field-name" }; // Make sure the existing cookie is valid and use the same cookie for the mock Token Provider. var context = CreateMockContext(options, useOldCookie: true, isOldCookieValid: true); var antiforgery = GetAntiforgery(context); // Act var inputElement = antiforgery.GetHtml(context.HttpContext); // Assert Assert.Equal( @"<input name=""HtmlEncode[[form-field-name]]"" type=""HtmlEncode[[hidden]]"" " + @"value=""HtmlEncode[[serialized-form-token]]"" />", inputElement); }
public async Task ChecksSSL_ValidateRequestAsync_Throws() { // Arrange var httpContext = new DefaultHttpContext(); var options = new AntiforgeryOptions() { RequireSsl = true }; var antiforgery = GetAntiforgery(options); // Act & Assert var exception = await Assert.ThrowsAsync <InvalidOperationException>( async() => await antiforgery.ValidateRequestAsync(httpContext)); Assert.Equal( @"The antiforgery system has the configuration value AntiforgeryOptions.RequireSsl = true, " + "but the current request is not an SSL request.", exception.Message); }
public void GetCookieToken_CookieIsMissingInRequest_LooksUpCookieInAntiforgeryContext() { // Arrange var requestCookies = new Mock <IReadableStringCollection>(); requestCookies .Setup(o => o[It.IsAny <string>()]) .Returns(string.Empty); var mockHttpContext = new Mock <HttpContext>(); mockHttpContext .Setup(o => o.Request.Cookies) .Returns(requestCookies.Object); var contextAccessor = new DefaultAntiforgeryContextAccessor(); mockHttpContext.SetupGet(o => o.RequestServices) .Returns(GetServiceProvider(contextAccessor)); // add a cookie explicitly. var cookie = new AntiforgeryToken(); contextAccessor.Value = new AntiforgeryContext() { CookieToken = cookie }; var options = new AntiforgeryOptions() { CookieName = _cookieName }; var tokenStore = new DefaultAntiforgeryTokenStore( optionsAccessor: new TestOptionsManager(options), tokenSerializer: Mock.Of <IAntiforgeryTokenSerializer>()); // Act var token = tokenStore.GetCookieToken(mockHttpContext.Object); // Assert Assert.Equal(cookie, token); }
public void SetCookieTokenAndHeader_AddsXFrameOptionsHeader( bool suppressXFrameOptions, string expectedHeaderValue) { // Arrange var options = new AntiforgeryOptions() { SuppressXFrameOptionsHeader = suppressXFrameOptions }; // Genreate a new cookie. var context = CreateMockContext(options, useOldCookie: false, isOldCookieValid: false); var antiforgery = GetAntiforgery(context); // Act antiforgery.SetCookieTokenAndHeader(context.HttpContext); // Assert var xFrameOptions = context.HttpContext.Response.Headers["X-Frame-Options"]; Assert.Equal(expectedHeaderValue, xFrameOptions); }
public void GetHtml_ExistingInvalidCookieToken_GeneratesANewCookieAndAnAntiforgeryToken() { // Arrange var options = new AntiforgeryOptions() { FormFieldName = "form-field-name" }; // Make sure the existing cookie is invalid. var context = CreateMockContext(options, isOldCookieValid: false); var antiforgery = GetAntiforgery(context); // Act var inputElement = antiforgery.GetHtml(context.HttpContext); // Assert Assert.Equal( @"<input name=""HtmlEncode[[form-field-name]]"" type=""HtmlEncode[[hidden]]"" " + @"value=""HtmlEncode[[serialized-form-token]]"" />", inputElement); context.TokenStore.Verify(); }
public async Task GetFormToken_FormFieldIsInvalid_PropagatesException() { // Arrange var formCollection = new Mock <IFormCollection>(); formCollection.Setup(f => f["form-field-name"]).Returns("invalid-value"); var requestContext = new Mock <HttpRequest>(); requestContext.Setup(o => o.ReadFormAsync(CancellationToken.None)) .Returns(Task.FromResult(formCollection.Object)); var mockHttpContext = new Mock <HttpContext>(); mockHttpContext.Setup(o => o.Request) .Returns(requestContext.Object); var expectedException = new InvalidOperationException("some exception"); var mockSerializer = new Mock <IAntiforgeryTokenSerializer>(); mockSerializer.Setup(o => o.Deserialize("invalid-value")) .Throws(expectedException); var options = new AntiforgeryOptions() { FormFieldName = "form-field-name", }; var tokenStore = new DefaultAntiforgeryTokenStore( optionsAccessor: new TestOptionsManager(options), tokenSerializer: mockSerializer.Object); // Act & assert var exception = await Assert.ThrowsAsync <InvalidOperationException>( async() => await tokenStore.GetFormTokenAsync(mockHttpContext.Object)); Assert.Same(expectedException, exception); }
public async Task GetFormToken_FormFieldIsValid_ReturnsToken() { // Arrange var expectedToken = new AntiforgeryToken(); // Arrange var mockHttpContext = new Mock <HttpContext>(); var requestContext = new Mock <HttpRequest>(); var formCollection = new Mock <IFormCollection>(); formCollection.Setup(f => f["form-field-name"]).Returns("valid-value"); requestContext.Setup(o => o.ReadFormAsync(CancellationToken.None)) .Returns(Task.FromResult(formCollection.Object)); mockHttpContext.Setup(o => o.Request) .Returns(requestContext.Object); var mockSerializer = new Mock <IAntiforgeryTokenSerializer>(); mockSerializer.Setup(o => o.Deserialize("valid-value")) .Returns(expectedToken); var options = new AntiforgeryOptions() { FormFieldName = "form-field-name", }; var tokenStore = new DefaultAntiforgeryTokenStore( optionsAccessor: new TestOptionsManager(options), tokenSerializer: mockSerializer.Object); // Act var retVal = await tokenStore.GetFormTokenAsync(mockHttpContext.Object); // Assert Assert.Same(expectedToken, retVal); }
public void ValidateTokens_FieldAndSessionTokensSwapped() { // Arrange var httpContext = new DefaultHttpContext(); httpContext.User = new ClaimsPrincipal(new ClaimsIdentity()); var sessionToken = new AntiforgeryToken() { IsSessionToken = true }; var fieldtoken = new AntiforgeryToken() { IsSessionToken = false }; var options = new AntiforgeryOptions() { CookieName = "my-cookie-name", FormFieldName = "my-form-field-name" }; var tokenProvider = new DefaultAntiforgeryTokenGenerator( optionsAccessor: new TestOptionsManager(options), claimUidExtractor: null, additionalDataProvider: null); // Act & assert var ex1 = Assert.Throws<InvalidOperationException>( () => tokenProvider.ValidateTokens(httpContext, fieldtoken, fieldtoken)); Assert.Equal( "Validation of the provided antiforgery token failed. " + @"The cookie ""my-cookie-name"" and the form field ""my-form-field-name"" were swapped.", ex1.Message); var ex2 = Assert.Throws<InvalidOperationException>( () => tokenProvider.ValidateTokens(httpContext, sessionToken, sessionToken)); Assert.Equal( "Validation of the provided antiforgery token failed. " + @"The cookie ""my-cookie-name"" and the form field ""my-form-field-name"" were swapped.", ex2.Message); }
public async Task GetFormToken_FormFieldIsEmpty_ReturnsNull() { // Arrange var mockHttpContext = new Mock<HttpContext>(); var requestContext = new Mock<HttpRequest>(); var formCollection = new Mock<IFormCollection>(); formCollection.Setup(f => f["form-field-name"]).Returns(string.Empty); requestContext.Setup(o => o.ReadFormAsync(CancellationToken.None)) .Returns(Task.FromResult(formCollection.Object)); mockHttpContext.Setup(o => o.Request) .Returns(requestContext.Object); var options = new AntiforgeryOptions() { FormFieldName = "form-field-name", }; var tokenStore = new DefaultAntiforgeryTokenStore( optionsAccessor: new TestOptionsManager(options), tokenSerializer: null); // Act var token = await tokenStore.GetFormTokenAsync(mockHttpContext.Object); // Assert Assert.Null(token); }
public async Task GetFormToken_FormFieldIsInvalid_PropagatesException() { // Arrange var formCollection = new Mock<IFormCollection>(); formCollection.Setup(f => f["form-field-name"]).Returns("invalid-value"); var requestContext = new Mock<HttpRequest>(); requestContext.Setup(o => o.ReadFormAsync(CancellationToken.None)) .Returns(Task.FromResult(formCollection.Object)); var mockHttpContext = new Mock<HttpContext>(); mockHttpContext.Setup(o => o.Request) .Returns(requestContext.Object); var expectedException = new InvalidOperationException("some exception"); var mockSerializer = new Mock<IAntiforgeryTokenSerializer>(); mockSerializer.Setup(o => o.Deserialize("invalid-value")) .Throws(expectedException); var options = new AntiforgeryOptions() { FormFieldName = "form-field-name", }; var tokenStore = new DefaultAntiforgeryTokenStore( optionsAccessor: new TestOptionsManager(options), tokenSerializer: mockSerializer.Object); // Act & assert var exception = await Assert.ThrowsAsync<InvalidOperationException>( async () => await tokenStore.GetFormTokenAsync(mockHttpContext.Object)); Assert.Same(expectedException, exception); }
public void GetCookieToken_CookieIsEmpty_ReturnsNull() { // Arrange var mockHttpContext = GetMockHttpContext(_cookieName, string.Empty); var options = new AntiforgeryOptions() { CookieName = _cookieName }; var tokenStore = new DefaultAntiforgeryTokenStore( optionsAccessor: new TestOptionsManager(options), tokenSerializer: Mock.Of<IAntiforgeryTokenSerializer>()); // Act var token = tokenStore.GetCookieToken(mockHttpContext); // Assert Assert.Null(token); }
public async Task GetFormToken_FormFieldIsValid_ReturnsToken() { // Arrange var httpContext = new DefaultHttpContext(); httpContext.Request.ContentType = "application/x-www-form-urlencoded"; httpContext.Request.Form = new FormCollection(new Dictionary<string, StringValues>() { { "form-field-name", "form-value" }, }); httpContext.Request.Cookies = new ReadableStringCollection(new Dictionary<string, StringValues>() { { "cookie-name", "cookie-value" }, }); var options = new AntiforgeryOptions() { CookieName = "cookie-name", FormFieldName = "form-field-name", }; var tokenStore = new DefaultAntiforgeryTokenStore( optionsAccessor: new TestOptionsManager(options), tokenSerializer: Mock.Of<IAntiforgeryTokenSerializer>()); // Act var tokens = await tokenStore.GetRequestTokensAsync(httpContext); // Assert Assert.Equal("cookie-value", tokens.CookieToken); Assert.Equal("form-value", tokens.FormToken); }
public void SaveCookieToken(bool requireSsl, bool? expectedCookieSecureFlag) { // Arrange var token = new AntiforgeryToken(); var mockCookies = new Mock<IResponseCookies>(); bool defaultCookieSecureValue = expectedCookieSecureFlag ?? false; // pulled from config; set by ctor var cookies = new MockResponseCookieCollection(); cookies.Count = 0; var mockHttpContext = new Mock<HttpContext>(); mockHttpContext.Setup(o => o.Response.Cookies) .Returns(cookies); var contextAccessor = new DefaultAntiforgeryContextAccessor(); mockHttpContext.SetupGet(o => o.RequestServices) .Returns(GetServiceProvider(contextAccessor)); var mockSerializer = new Mock<IAntiforgeryTokenSerializer>(); mockSerializer.Setup(o => o.Serialize(token)) .Returns("serialized-value"); var options = new AntiforgeryOptions() { CookieName = _cookieName, RequireSsl = requireSsl }; var tokenStore = new DefaultAntiforgeryTokenStore( optionsAccessor: new TestOptionsManager(options), tokenSerializer: mockSerializer.Object); // Act tokenStore.SaveCookieToken(mockHttpContext.Object, token); // Assert Assert.Equal(1, cookies.Count); Assert.NotNull(contextAccessor.Value.CookieToken); Assert.NotNull(cookies); Assert.Equal(_cookieName, cookies.Key); Assert.Equal("serialized-value", cookies.Value); Assert.True(cookies.Options.HttpOnly); Assert.Equal(defaultCookieSecureValue, cookies.Options.Secure); }
public async Task GetFormToken_FormFieldIsValid_ReturnsToken() { // Arrange var expectedToken = new AntiforgeryToken(); // Arrange var mockHttpContext = new Mock<HttpContext>(); var requestContext = new Mock<HttpRequest>(); var formCollection = new Mock<IFormCollection>(); formCollection.Setup(f => f["form-field-name"]).Returns("valid-value"); requestContext.Setup(o => o.ReadFormAsync(CancellationToken.None)) .Returns(Task.FromResult(formCollection.Object)); mockHttpContext.Setup(o => o.Request) .Returns(requestContext.Object); var mockSerializer = new Mock<IAntiforgeryTokenSerializer>(); mockSerializer.Setup(o => o.Deserialize("valid-value")) .Returns(expectedToken); var options = new AntiforgeryOptions() { FormFieldName = "form-field-name", }; var tokenStore = new DefaultAntiforgeryTokenStore( optionsAccessor: new TestOptionsManager(options), tokenSerializer: mockSerializer.Object); // Act var retVal = await tokenStore.GetFormTokenAsync(mockHttpContext.Object); // Assert Assert.Same(expectedToken, retVal); }
public async Task GetRequestTokens_FormFieldIsEmpty_Throws() { // Arrange var httpContext = new DefaultHttpContext(); httpContext.Request.ContentType = "application/x-www-form-urlencoded"; httpContext.Request.Form = new FormCollection(new Dictionary<string, StringValues>()); httpContext.Request.Cookies = new ReadableStringCollection(new Dictionary<string, StringValues>() { { "cookie-name", "cookie-value" }, }); var options = new AntiforgeryOptions() { CookieName = "cookie-name", FormFieldName = "form-field-name", }; var tokenStore = new DefaultAntiforgeryTokenStore( optionsAccessor: new TestOptionsManager(options), tokenSerializer: Mock.Of<IAntiforgeryTokenSerializer>()); // Act var exception = await Assert.ThrowsAsync<InvalidOperationException>( async () => await tokenStore.GetRequestTokensAsync(httpContext)); // Assert Assert.Equal("The required antiforgery form field \"form-field-name\" is not present.", exception.Message); }
public async Task GetRequestTokens_NonFormContentType_Throws() { // Arrange var httpContext = new DefaultHttpContext(); httpContext.Request.ContentType = "application/json"; // Will not be accessed httpContext.Request.Form = null; httpContext.Request.Cookies = new ReadableStringCollection(new Dictionary<string, StringValues>() { { "cookie-name", "cookie-value" }, }); var options = new AntiforgeryOptions() { CookieName = "cookie-name", FormFieldName = "form-field-name", }; var tokenStore = new DefaultAntiforgeryTokenStore( optionsAccessor: new TestOptionsManager(options), tokenSerializer: new DefaultAntiforgeryTokenSerializer(new EphemeralDataProtectionProvider())); // Act var exception = await Assert.ThrowsAsync<InvalidOperationException>( async () => await tokenStore.GetRequestTokensAsync(httpContext)); // Assert Assert.Equal("The required antiforgery form field \"form-field-name\" is not present.", exception.Message); }
public void GetCookieToken_CookieIsValid_ReturnsToken() { // Arrange var expectedToken = new AntiforgeryToken(); var mockHttpContext = GetMockHttpContext(_cookieName, "valid-value"); var mockSerializer = new Mock<IAntiforgeryTokenSerializer>(); mockSerializer .Setup(o => o.Deserialize("valid-value")) .Returns(expectedToken); var options = new AntiforgeryOptions() { CookieName = _cookieName }; var tokenStore = new DefaultAntiforgeryTokenStore( optionsAccessor: new TestOptionsManager(options), tokenSerializer: mockSerializer.Object); // Act AntiforgeryToken retVal = tokenStore.GetCookieToken(mockHttpContext); // Assert Assert.Same(expectedToken, retVal); }
public void GetCookieToken_CookieIsInvalid_PropagatesException() { // Arrange var mockHttpContext = GetMockHttpContext(_cookieName, "invalid-value"); var expectedException = new InvalidOperationException("some exception"); var mockSerializer = new Mock<IAntiforgeryTokenSerializer>(); mockSerializer .Setup(o => o.Deserialize("invalid-value")) .Throws(expectedException); var options = new AntiforgeryOptions() { CookieName = _cookieName }; var tokenStore = new DefaultAntiforgeryTokenStore( optionsAccessor: new TestOptionsManager(options), tokenSerializer: mockSerializer.Object); // Act & assert var ex = Assert.Throws<InvalidOperationException>(() => tokenStore.GetCookieToken(mockHttpContext)); Assert.Same(expectedException, ex); }
public void ValidateTokens_SessionTokenMissing() { // Arrange var httpContext = new DefaultHttpContext(); httpContext.User = new ClaimsPrincipal(new ClaimsIdentity()); var fieldtoken = new AntiforgeryToken() { IsSessionToken = false }; var options = new AntiforgeryOptions() { CookieName = "my-cookie-name" }; var tokenProvider = new DefaultAntiforgeryTokenGenerator( optionsAccessor: new TestOptionsManager(options), claimUidExtractor: null, additionalDataProvider: null); // Act & assert var ex = Assert.Throws<InvalidOperationException>( () => tokenProvider.ValidateTokens(httpContext, null, fieldtoken)); Assert.Equal(@"The required antiforgery cookie ""my-cookie-name"" is not present.", ex.Message); }
public async Task GetRequestTokens_CookieIsEmpty_Throws() { // Arrange var httpContext = new DefaultHttpContext(); httpContext.Request.Form = new FormCollection(new Dictionary<string, string[]>()); httpContext.Request.Cookies = new ReadableStringCollection(new Dictionary<string, string[]>()); var options = new AntiforgeryOptions() { CookieName = "cookie-name", FormFieldName = "form-field-name", }; var tokenStore = new DefaultAntiforgeryTokenStore( optionsAccessor: new TestOptionsManager(options), tokenSerializer: null); // Act var exception = await Assert.ThrowsAsync<InvalidOperationException>( async () => await tokenStore.GetRequestTokensAsync(httpContext)); // Assert Assert.Equal("The required antiforgery cookie \"cookie-name\" is not present.", exception.Message); }