private static CorsBasedSecurityMessageHandler CreateSubjectUnderTest( HttpResponseMessage response = null, CorsEngine corsEngine = null, CorsOptions options = null) { var sut = new CorsBasedSecurityMessageHandler(options ?? CorsOptions.AllowAll()); sut.InnerHandler = new TestHandler(response); sut.SetCorsEngineFactory(() => corsEngine ?? new CorsEngine()); return sut; }
private void ProcessCors(OAuthValidateTokenRequestContext context) { var accessControlRequestMethodHeaders = context.Request.Headers.GetCommaSeparatedValues(CorsConstants.AccessControlRequestMethod); var originHeaders = context.Request.Headers.GetCommaSeparatedValues(CorsConstants.Origin); var accessControlRequestHeaders = context.Request.Headers.GetCommaSeparatedValues(CorsConstants.AccessControlRequestMethod); var corsRequest = new CorsRequestContext { Host = context.Request.Host.Value, HttpMethod = context.Request.Method, Origin = originHeaders == null ? null : originHeaders.FirstOrDefault(), RequestUri = context.Request.Uri, AccessControlRequestMethod = accessControlRequestMethodHeaders == null ? null : accessControlRequestMethodHeaders.FirstOrDefault() }; if (accessControlRequestHeaders != null) { foreach (var header in context.Request.Headers.GetCommaSeparatedValues(CorsConstants.AccessControlRequestMethod)) { corsRequest.AccessControlRequestHeaders.Add(header); } } var engine = new CorsEngine(); if (corsRequest.IsPreflight) { try { // Make sure Access-Control-Request-Method is valid. var test = new HttpMethod(corsRequest.AccessControlRequestMethod); } catch (ArgumentException) { context.Response.StatusCode = (int)HttpStatusCode.BadRequest; context.SetError("Access Control Request Method Cannot Be Null Or Empty"); //context.RequestCompleted(); return; } catch (FormatException) { context.Response.StatusCode = (int)HttpStatusCode.BadRequest; context.SetError("Invalid Access Control Request Method"); //context.RequestCompleted(); return; } var result = engine.EvaluatePolicy(corsRequest, _options.CorsPolicy); if (!result.IsValid) { context.Response.StatusCode = (int)HttpStatusCode.BadRequest; context.SetError(string.Join(" | ", result.ErrorMessages)); //context.RequestCompleted(); return; } WriteCorsHeaders(result, context); } else { var result = engine.EvaluatePolicy(corsRequest, _options.CorsPolicy); if (result.IsValid) { WriteCorsHeaders(result, context); } } }