Ignore null ExpiresUtc property in RequestRefresh

Issue: https://github.com/aspnet/Security/issues/949
2016-08-26 11:46:29 -07:00 · 2016-08-26 11:46:29 -07:00 · cbbec15d37
parent 3a5df89f1c
commit cbbec15d37
2 changed files with 56 additions and 5 deletions
--- a/src/Microsoft.AspNetCore.Authentication.Cookies/CookieAuthenticationHandler.cs
+++ b/src/Microsoft.AspNetCore.Authentication.Cookies/CookieAuthenticationHandler.cs
@ -57,11 +57,17 @@ namespace Microsoft.AspNetCore.Authentication.Cookies

        private void RequestRefresh(AuthenticationTicket ticket)
        {
-            _shouldRefresh = true;
-            var currentUtc = Options.SystemClock.UtcNow;
-            _refreshIssuedUtc = currentUtc;
-            var timeSpan = ticket.Properties.ExpiresUtc.Value.Subtract(ticket.Properties.IssuedUtc.Value);
-            _refreshExpiresUtc = currentUtc.Add(timeSpan);
+            var issuedUtc = ticket.Properties.IssuedUtc;
+            var expiresUtc = ticket.Properties.ExpiresUtc;
+
+            if (issuedUtc != null && expiresUtc != null)
+            {
+                _shouldRefresh = true;
+                var currentUtc = Options.SystemClock.UtcNow;
+                _refreshIssuedUtc = currentUtc;
+                var timeSpan = expiresUtc.Value.Subtract(issuedUtc.Value);
+                _refreshExpiresUtc = currentUtc.Add(timeSpan);
+            }
        }

        private async Task<AuthenticateResult> ReadCookieTicket()
--- a/test/Microsoft.AspNetCore.Authentication.Test/Cookies/CookieMiddlewareTests.cs
+++ b/test/Microsoft.AspNetCore.Authentication.Test/Cookies/CookieMiddlewareTests.cs
@ -1214,6 +1214,51 @@ namespace Microsoft.AspNetCore.Authentication.Cookies
            Assert.Equal("Alice", FindClaimValue(transaction2, ClaimTypes.Name));
        }

+        // Issue: https://github.com/aspnet/Security/issues/949
+        [Fact]
+        public async Task NullExpiresUtcPropertyIsGuarded()
+        {
+            var builder = new WebHostBuilder()
+                .ConfigureServices(services => services.AddAuthentication())
+                .Configure(app =>
+                {
+                    app.UseCookieAuthentication(new CookieAuthenticationOptions
+                    {
+                        Events = new CookieAuthenticationEvents
+                        {
+                            OnValidatePrincipal = context =>
+                            {
+                                context.Properties.ExpiresUtc = null;
+                                context.ShouldRenew = true;
+                                return Task.FromResult(0);
+                            }
+                        }
+                    });
+
+                    app.Run(async context =>
+                    {
+                        if (context.Request.Path == "/signin")
+                        {
+                            await context.Authentication.SignInAsync(
+                                CookieAuthenticationDefaults.AuthenticationScheme,
+                                new ClaimsPrincipal(new ClaimsIdentity(new GenericIdentity("Alice", "Cookies"))));
+                        }
+                        else
+                        {
+                            await context.Response.WriteAsync("ha+1");
+                        }
+                    });
+                });
+
+            var server = new TestServer(builder);
+
+            var cookie = (await server.SendAsync("http://www.example.com/signin")).SetCookie.FirstOrDefault();
+            Assert.NotNull(cookie);
+
+            var transaction = await server.SendAsync("http://www.example.com/", cookie);
+            Assert.Equal(HttpStatusCode.OK, transaction.Response.StatusCode);
+        }
+
        private class NoOpDataProtector : IDataProtector
        {
            public IDataProtector CreateProtector(string purpose)