Allow absolute uri in authentication properties for cookie auth redirect

2016-08-11 08:48:47 -07:00 · 2016-08-11 08:48:47 -07:00 · 4600451dc6
parent 97afe4acc8
commit 4600451dc6
2 changed files with 29 additions and 5 deletions
--- a/src/Microsoft.AspNetCore.Authentication.Cookies/CookieAuthenticationHandler.cs
+++ b/src/Microsoft.AspNetCore.Authentication.Cookies/CookieAuthenticationHandler.cs
@ -320,7 +320,7 @@ namespace Microsoft.AspNetCore.Authentication.Cookies
                // 1. properties.RedirectUri
                // 2. query parameter ReturnUrlParameter
                var redirectUri = properties.RedirectUri;
-                if (string.IsNullOrEmpty(redirectUri) || !IsHostRelative(redirectUri))
+                if (string.IsNullOrEmpty(redirectUri))
                {
                    redirectUri = Request.Query[Options.ReturnUrlParameter];
                    if (string.IsNullOrEmpty(redirectUri) || !IsHostRelative(redirectUri))
--- a/test/Microsoft.AspNetCore.Authentication.Test/Cookies/CookieMiddlewareTests.cs
+++ b/test/Microsoft.AspNetCore.Authentication.Test/Cookies/CookieMiddlewareTests.cs
@ -1051,8 +1051,10 @@ namespace Microsoft.AspNetCore.Authentication.Cookies
            Assert.Equal("?ReturnUrl=%2F", location.Query);
        }

-        [Fact]
-        public async Task RedirectUriIsHoneredAfterSignin()
+        [Theory]
+        [InlineData("/redirect_test")]
+        [InlineData("http://example.com/redirect_to")]
+        public async Task RedirectUriIsHoneredAfterSignin(string redirectUrl)
        {
            var options = new CookieAuthenticationOptions
            {
@ -1065,13 +1067,13 @@ namespace Microsoft.AspNetCore.Authentication.Cookies
                await context.Authentication.SignInAsync(
                    CookieAuthenticationDefaults.AuthenticationScheme,
                    new ClaimsPrincipal(new ClaimsIdentity(new GenericIdentity("Alice", CookieAuthenticationDefaults.AuthenticationScheme))),
-                    new AuthenticationProperties { RedirectUri = "/redirect_test" });
+                    new AuthenticationProperties { RedirectUri = redirectUrl });
            });
            var transaction = await SendAsync(server, "http://example.com/testpath");

            Assert.NotEmpty(transaction.SetCookie);
            Assert.Equal(HttpStatusCode.Redirect, transaction.Response.StatusCode);
-            Assert.Equal("/redirect_test", transaction.Response.Headers.Location.ToString());
+            Assert.Equal(redirectUrl, transaction.Response.Headers.Location.ToString());
        }

        [Fact]
@ -1097,6 +1099,28 @@ namespace Microsoft.AspNetCore.Authentication.Cookies
            Assert.Equal("/ret_path_2", transaction.Response.Headers.Location.ToString());
        }

+        [Fact]
+        public async Task AbsoluteRedirectUriIsRejected()
+        {
+            var options = new CookieAuthenticationOptions
+            {
+                LoginPath = "/testpath",
+                ReturnUrlParameter = "return",
+                CookieName = "TestCookie"
+            };
+
+            var server = CreateServer(options, async context =>
+            {
+                await context.Authentication.SignInAsync(
+                    CookieAuthenticationDefaults.AuthenticationScheme,
+                    new ClaimsPrincipal(new ClaimsIdentity(new GenericIdentity("Alice", CookieAuthenticationDefaults.AuthenticationScheme))));
+            });
+            var transaction = await SendAsync(server, "http://example.com/testpath?return=http%3A%2F%2Fexample.com%2Fredirect_to");
+
+            Assert.NotEmpty(transaction.SetCookie);
+            Assert.Equal(HttpStatusCode.OK, transaction.Response.StatusCode);
+        }
+
        [Fact]
        public async Task EnsurePrecedenceOfRedirectUriAfterSignin()
        {