Remove `ValidateTokens()` from `IAntiforgery`
- `IAntiforgery` does not expose a way to get an invalid `AntiforgeryTokenSet`
This commit is contained in:
parent
9445574aa1
commit
08cf13b870
|
|
@ -54,15 +54,6 @@ namespace Microsoft.AspNetCore.Antiforgery
|
||||||
/// </exception>
|
/// </exception>
|
||||||
Task ValidateRequestAsync(HttpContext httpContext);
|
Task ValidateRequestAsync(HttpContext httpContext);
|
||||||
|
|
||||||
/// <summary>
|
|
||||||
/// Validates an <see cref="AntiforgeryTokenSet"/> for the current request.
|
|
||||||
/// </summary>
|
|
||||||
/// <param name="httpContext">The <see cref="HttpContext"/> associated with the current request.</param>
|
|
||||||
/// <param name="antiforgeryTokenSet">
|
|
||||||
/// The <see cref="AntiforgeryTokenSet"/> (cookie and request token) for this request.
|
|
||||||
/// </param>
|
|
||||||
void ValidateTokens(HttpContext httpContext, AntiforgeryTokenSet antiforgeryTokenSet);
|
|
||||||
|
|
||||||
/// <summary>
|
/// <summary>
|
||||||
/// Generates and stores an antiforgery cookie token if one is not available or not valid.
|
/// Generates and stores an antiforgery cookie token if one is not available or not valid.
|
||||||
/// </summary>
|
/// </summary>
|
||||||
|
|
|
||||||
|
|
@ -135,8 +135,7 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
|
||||||
ValidateTokens(httpContext, tokens);
|
ValidateTokens(httpContext, tokens);
|
||||||
}
|
}
|
||||||
|
|
||||||
/// <inheritdoc />
|
private void ValidateTokens(HttpContext httpContext, AntiforgeryTokenSet antiforgeryTokenSet)
|
||||||
public void ValidateTokens(HttpContext httpContext, AntiforgeryTokenSet antiforgeryTokenSet)
|
|
||||||
{
|
{
|
||||||
if (httpContext == null)
|
if (httpContext == null)
|
||||||
{
|
{
|
||||||
|
|
|
||||||
|
|
@ -6,7 +6,6 @@ using System.Security.Claims;
|
||||||
using System.Threading.Tasks;
|
using System.Threading.Tasks;
|
||||||
using Microsoft.AspNetCore.Http;
|
using Microsoft.AspNetCore.Http;
|
||||||
using Microsoft.AspNetCore.Http.Internal;
|
using Microsoft.AspNetCore.Http.Internal;
|
||||||
using Microsoft.AspNetCore.Testing;
|
|
||||||
using Microsoft.Extensions.Options;
|
using Microsoft.Extensions.Options;
|
||||||
using Moq;
|
using Moq;
|
||||||
using Xunit;
|
using Xunit;
|
||||||
|
|
@ -57,28 +56,6 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
|
||||||
exception.Message);
|
exception.Message);
|
||||||
}
|
}
|
||||||
|
|
||||||
[Fact]
|
|
||||||
public void ChecksSSL_ValidateTokens_Throws()
|
|
||||||
{
|
|
||||||
// Arrange
|
|
||||||
var httpContext = new DefaultHttpContext();
|
|
||||||
var options = new AntiforgeryOptions()
|
|
||||||
{
|
|
||||||
RequireSsl = true
|
|
||||||
};
|
|
||||||
|
|
||||||
var antiforgery = GetAntiforgery(options);
|
|
||||||
var tokenSet = new AntiforgeryTokenSet("hello", "world", "form", "header");
|
|
||||||
|
|
||||||
// Act & Assert
|
|
||||||
var exception = Assert.Throws<InvalidOperationException>(
|
|
||||||
() => antiforgery.ValidateTokens(httpContext, tokenSet));
|
|
||||||
Assert.Equal(
|
|
||||||
@"The antiforgery system has the configuration value AntiforgeryOptions.RequireSsl = true, " +
|
|
||||||
"but the current request is not an SSL request.",
|
|
||||||
exception.Message);
|
|
||||||
}
|
|
||||||
|
|
||||||
[Fact]
|
[Fact]
|
||||||
public void ChecksSSL_GetAndStoreTokens_Throws()
|
public void ChecksSSL_GetAndStoreTokens_Throws()
|
||||||
{
|
{
|
||||||
|
|
@ -248,95 +225,7 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
|
||||||
}
|
}
|
||||||
|
|
||||||
[Fact]
|
[Fact]
|
||||||
public void ValidateTokens_InvalidTokens_Throws()
|
public async Task IsRequestValidAsync_FromStore_Failure()
|
||||||
{
|
|
||||||
// Arrange
|
|
||||||
var context = CreateMockContext(new AntiforgeryOptions());
|
|
||||||
|
|
||||||
context.TokenSerializer
|
|
||||||
.Setup(o => o.Deserialize("cookie-token"))
|
|
||||||
.Returns(context.TestTokenSet.OldCookieToken);
|
|
||||||
context.TokenSerializer
|
|
||||||
.Setup(o => o.Deserialize("form-token"))
|
|
||||||
.Returns(context.TestTokenSet.RequestToken);
|
|
||||||
|
|
||||||
var message = "my-message";
|
|
||||||
context.TokenGenerator
|
|
||||||
.Setup(o => o.TryValidateTokenSet(
|
|
||||||
context.HttpContext,
|
|
||||||
context.TestTokenSet.OldCookieToken,
|
|
||||||
context.TestTokenSet.RequestToken,
|
|
||||||
out message))
|
|
||||||
.Returns(false)
|
|
||||||
.Verifiable();
|
|
||||||
|
|
||||||
var antiforgery = new DefaultAntiforgery(
|
|
||||||
new TestOptionsManager(),
|
|
||||||
context.TokenGenerator.Object,
|
|
||||||
context.TokenSerializer.Object,
|
|
||||||
tokenStore: null);
|
|
||||||
|
|
||||||
var tokenSet = new AntiforgeryTokenSet("form-token", "cookie-token", "form", "header");
|
|
||||||
|
|
||||||
// Act & Assert
|
|
||||||
var exception = Assert.Throws<AntiforgeryValidationException>(
|
|
||||||
() => antiforgery.ValidateTokens(
|
|
||||||
context.HttpContext,
|
|
||||||
tokenSet));
|
|
||||||
Assert.Equal("my-message", exception.Message);
|
|
||||||
context.TokenGenerator.Verify();
|
|
||||||
}
|
|
||||||
|
|
||||||
[Fact]
|
|
||||||
public void ValidateTokens_FromValidStrings_TokensValidatedSuccessfully()
|
|
||||||
{
|
|
||||||
// Arrange
|
|
||||||
var context = CreateMockContext(new AntiforgeryOptions());
|
|
||||||
context.TokenSerializer
|
|
||||||
.Setup(o => o.Deserialize("cookie-token"))
|
|
||||||
.Returns(context.TestTokenSet.OldCookieToken);
|
|
||||||
context.TokenSerializer
|
|
||||||
.Setup(o => o.Deserialize("form-token"))
|
|
||||||
.Returns(context.TestTokenSet.RequestToken);
|
|
||||||
|
|
||||||
string message;
|
|
||||||
context.TokenGenerator
|
|
||||||
.Setup(o => o.TryValidateTokenSet(
|
|
||||||
context.HttpContext,
|
|
||||||
context.TestTokenSet.OldCookieToken,
|
|
||||||
context.TestTokenSet.RequestToken,
|
|
||||||
out message))
|
|
||||||
.Returns(true)
|
|
||||||
.Verifiable();
|
|
||||||
context.TokenStore = null;
|
|
||||||
var antiforgery = GetAntiforgery(context);
|
|
||||||
|
|
||||||
var tokenSet = new AntiforgeryTokenSet("form-token", "cookie-token", "form", "header");
|
|
||||||
|
|
||||||
// Act
|
|
||||||
antiforgery.ValidateTokens(context.HttpContext, tokenSet);
|
|
||||||
|
|
||||||
// Assert
|
|
||||||
context.TokenGenerator.Verify();
|
|
||||||
}
|
|
||||||
|
|
||||||
[Fact]
|
|
||||||
public void ValidateTokens_MissingCookieInTokenSet_Throws()
|
|
||||||
{
|
|
||||||
// Arrange
|
|
||||||
var context = CreateMockContext(new AntiforgeryOptions());
|
|
||||||
var antiforgery = GetAntiforgery(context);
|
|
||||||
var tokenSet = new AntiforgeryTokenSet("form-token", null, "form", "header");
|
|
||||||
|
|
||||||
// Act
|
|
||||||
ExceptionAssert.ThrowsArgument(
|
|
||||||
() => antiforgery.ValidateTokens(context.HttpContext, tokenSet),
|
|
||||||
"antiforgeryTokenSet",
|
|
||||||
"The required antiforgery cookie token must be provided.");
|
|
||||||
}
|
|
||||||
|
|
||||||
[Fact]
|
|
||||||
public async Task IsRequestValueAsync_FromStore_Failure()
|
|
||||||
{
|
{
|
||||||
// Arrange
|
// Arrange
|
||||||
var context = CreateMockContext(new AntiforgeryOptions());
|
var context = CreateMockContext(new AntiforgeryOptions());
|
||||||
|
|
@ -357,6 +246,7 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
|
||||||
|
|
||||||
// Assert
|
// Assert
|
||||||
Assert.False(result);
|
Assert.False(result);
|
||||||
|
context.TokenGenerator.Verify();
|
||||||
}
|
}
|
||||||
|
|
||||||
[Fact]
|
[Fact]
|
||||||
|
|
@ -409,7 +299,7 @@ namespace Microsoft.AspNetCore.Antiforgery.Internal
|
||||||
|
|
||||||
// Act & assert
|
// Act & assert
|
||||||
var exception = await Assert.ThrowsAsync<AntiforgeryValidationException>(
|
var exception = await Assert.ThrowsAsync<AntiforgeryValidationException>(
|
||||||
async () => await antiforgery.ValidateRequestAsync(context.HttpContext));
|
() => antiforgery.ValidateRequestAsync(context.HttpContext));
|
||||||
Assert.Equal("my-message", exception.Message);
|
Assert.Equal("my-message", exception.Message);
|
||||||
context.TokenGenerator.Verify();
|
context.TokenGenerator.Verify();
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue