huahaofeng
/
aspnetcore
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add form and header name to token set

This commit is contained in:
Ryan Nowak 2016-02-03 14:05:40 -08:00
parent 20140c4c15
commit 48ee352022
4 changed files with 48 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
src/Microsoft.AspNetCore.Antiforgery/AntiforgeryTokenSet.cs
View File

@ -15,28 +15,52 @@ namespace Microsoft.AspNetCore.Antiforgery
/// </summary>
/// <param name="requestToken">The token that is supplied in the request.</param>
/// <param name="cookieToken">The token that is supplied in the request cookie.</param>
public AntiforgeryTokenSet(string requestToken, string cookieToken)
/// <param name="formFieldName">The name of the form field used for the request token.</param>
/// <param name="headerName">The name of the header used for the request token.</param>
public AntiforgeryTokenSet(
string requestToken,
string cookieToken,
string formFieldName,
string headerName)
{
if (string.IsNullOrEmpty(requestToken))
{
throw new ArgumentException(Resources.ArgumentCannotBeNullOrEmpty, nameof(requestToken));
}
if (formFieldName == null)
{
throw new ArgumentNullException(nameof(formFieldName));
}
RequestToken = requestToken;
// Cookie Token is allowed to be null in the case when the old cookie is valid
// and there is no new cookieToken generated.
CookieToken = cookieToken;
FormFieldName = formFieldName;
HeaderName = headerName;
}
/// <summary>
/// The token that is supplied in the request.
/// Gets the request token.
/// </summary>
public string RequestToken { get; private set; }
public string RequestToken { get; }
/// The cookie token is allowed to be null.
/// This would be the case when the old cookie token is still valid.
/// In such cases a call to GetTokens would return a token set with null cookie token.
public string CookieToken { get; private set; }
/// <summary>
/// Gets the name of the form field used for the request token.
/// </summary>
public string FormFieldName { get; }
/// <summary>
/// Gets the name of the header used for the request token.
/// </summary>
public string HeaderName { get; }
/// <summary>
/// Gets the cookie token.
/// </summary>
public string CookieToken { get; }
}
}

4
src/Microsoft.AspNetCore.Antiforgery/DefaultAntiforgery.cs
View File

@ -263,7 +263,9 @@ namespace Microsoft.AspNetCore.Antiforgery
{
return new AntiforgeryTokenSet(
tokenSet.RequestToken != null ? _tokenSerializer.Serialize(tokenSet.RequestToken) : null,
tokenSet.CookieToken != null ? _tokenSerializer.Serialize(tokenSet.CookieToken) : null);
tokenSet.CookieToken != null ? _tokenSerializer.Serialize(tokenSet.CookieToken) : null,
_options.FormFieldName,
_options.HeaderName);
}
private class AntiforgeryTokenSetInternal

2
src/Microsoft.AspNetCore.Antiforgery/DefaultAntiforgeryTokenStore.cs
View File

@ -108,7 +108,7 @@ namespace Microsoft.AspNetCore.Antiforgery
}
}
return new AntiforgeryTokenSet(requestToken, requestCookie);
return new AntiforgeryTokenSet(requestToken, requestCookie, _options.FormFieldName, _options.HeaderName);
}
public void SaveCookieToken(HttpContext httpContext, AntiforgeryToken token)

20
test/Microsoft.AspNetCore.Antiforgery.Test/DefaultAntiforgeryTest.cs
View File

@ -5,7 +5,6 @@ using System;
using System.IO;
using System.Security.Claims;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Html;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Http.Internal;
using Microsoft.AspNetCore.Testing;
@ -75,9 +74,11 @@ namespace Microsoft.AspNetCore.Antiforgery
var antiforgery = GetAntiforgery(options);
var tokenSet = new AntiforgeryTokenSet("hello", "world", "form", "header");
// Act & Assert
var exception = Assert.Throws<InvalidOperationException>(
() => antiforgery.ValidateTokens(httpContext, new AntiforgeryTokenSet("hello", "world")));
() => antiforgery.ValidateTokens(httpContext, tokenSet));
Assert.Equal(
@"The antiforgery system has the configuration value AntiforgeryOptions.RequireSsl = true, " +
"but the current request is not an SSL request.",
@ -431,11 +432,13 @@ namespace Microsoft.AspNetCore.Antiforgery
context.TokenSerializer.Object,
tokenStore: null);
var tokenSet = new AntiforgeryTokenSet("form-token", "cookie-token", "form", "header");
// Act & Assert
var exception = Assert.Throws<AntiforgeryValidationException>(
() => antiforgery.ValidateTokens(
context.HttpContext,
new AntiforgeryTokenSet("form-token", "cookie-token")));
tokenSet));
Assert.Equal("my-message", exception.Message);
}
@ -464,8 +467,10 @@ namespace Microsoft.AspNetCore.Antiforgery
context.TokenStore = null;
var antiforgery = GetAntiforgery(context);
var tokenSet = new AntiforgeryTokenSet("form-token", "cookie-token", "form", "header");
// Act
antiforgery.ValidateTokens(context.HttpContext, new AntiforgeryTokenSet("form-token", "cookie-token"));
antiforgery.ValidateTokens(context.HttpContext, tokenSet);
// Assert
context.TokenGenerator.Verify();
@ -478,8 +483,7 @@ namespace Microsoft.AspNetCore.Antiforgery
var context = CreateMockContext(new AntiforgeryOptions());
var antiforgery = GetAntiforgery(context);
var tokenSet = new AntiforgeryTokenSet("hi", cookieToken: null);
var tokenSet = new AntiforgeryTokenSet("form-token", null, "form", "header");
// Act
ExceptionAssert.ThrowsArgument(
@ -661,7 +665,9 @@ namespace Microsoft.AspNetCore.Antiforgery
mockTokenStore.Setup(o => o.GetRequestTokensAsync(context))
.Returns(() => Task.FromResult(new AntiforgeryTokenSet(
testTokenSet.FormTokenString,
testTokenSet.OldCookieTokenString)));
testTokenSet.OldCookieTokenString,
"form",
"header")));
if (saveNewCookie)
{