From e54d088c462b18c76a8f218b11ea2614e41622b6 Mon Sep 17 00:00:00 2001 From: Hao Kung Date: Fri, 22 May 2015 14:48:24 -0700 Subject: [PATCH] Fix issue with 401->403 not working with AutomaticAuthentication --- .../CookieAuthenticationHandler.cs | 1 + .../AuthenticationHandler.cs | 3 ++- .../Cookies/CookieMiddlewareTests.cs | 19 ++++++++++++++++--- 3 files changed, 19 insertions(+), 4 deletions(-) diff --git a/src/Microsoft.AspNet.Authentication.Cookies/CookieAuthenticationHandler.cs b/src/Microsoft.AspNet.Authentication.Cookies/CookieAuthenticationHandler.cs index 04852e390a..11c74c8386 100644 --- a/src/Microsoft.AspNet.Authentication.Cookies/CookieAuthenticationHandler.cs +++ b/src/Microsoft.AspNet.Authentication.Cookies/CookieAuthenticationHandler.cs @@ -99,6 +99,7 @@ namespace Microsoft.AspNet.Authentication.Cookies await Options.Notifications.ValidatePrincipal(context); + AuthenticateCalled = true; return new AuthenticationTicket(context.Principal, context.Properties, Options.AuthenticationScheme); } catch (Exception exception) diff --git a/src/Microsoft.AspNet.Authentication/AuthenticationHandler.cs b/src/Microsoft.AspNet.Authentication/AuthenticationHandler.cs index 1d1d8e193f..d3e2ff9a4e 100644 --- a/src/Microsoft.AspNet.Authentication/AuthenticationHandler.cs +++ b/src/Microsoft.AspNet.Authentication/AuthenticationHandler.cs @@ -59,7 +59,8 @@ namespace Microsoft.AspNet.Authentication get { return _baseOptions; } } - internal bool AuthenticateCalled { get; set; } + // REVIEW: Overriding Authenticate and not calling base requires manually calling this for 401-403 to work + protected bool AuthenticateCalled { get; set; } public IAuthenticationHandler PriorHandler { get; set; } diff --git a/test/Microsoft.AspNet.Authentication.Test/Cookies/CookieMiddlewareTests.cs b/test/Microsoft.AspNet.Authentication.Test/Cookies/CookieMiddlewareTests.cs index c368365329..a3e9774f09 100644 --- a/test/Microsoft.AspNet.Authentication.Test/Cookies/CookieMiddlewareTests.cs +++ b/test/Microsoft.AspNet.Authentication.Test/Cookies/CookieMiddlewareTests.cs @@ -443,19 +443,27 @@ namespace Microsoft.AspNet.Authentication.Cookies Assert.True(transaction1.SetCookie.Contains("path=/base")); } - [Fact] - public async Task CookieTurns401To403IfAuthenticated() + [Theory] + [InlineData(true)] + [InlineData(false)] + public async Task CookieTurns401To403IfAuthenticated(bool automatic) { var clock = new TestClock(); var server = CreateServer(options => { + options.AutomaticAuthentication = automatic; options.SystemClock = clock; }, SignInAsAlice); var transaction1 = await SendAsync(server, "http://example.com/testpath"); - var transaction2 = await SendAsync(server, "http://example.com/unauthorized", transaction1.CookieNameValue); + var url = "http://example.com/unauthorized"; + if (automatic) + { + url += "auto"; + } + var transaction2 = await SendAsync(server, url, transaction1.CookieNameValue); transaction2.Response.StatusCode.ShouldBe(HttpStatusCode.Forbidden); } @@ -547,6 +555,11 @@ namespace Microsoft.AspNet.Authentication.Cookies var result = await context.Authentication.AuthenticateAsync(CookieAuthenticationDefaults.AuthenticationScheme); context.Authentication.Challenge(CookieAuthenticationDefaults.AuthenticationScheme); } + else if (req.Path == new PathString("/unauthorizedauto")) + { + // Simulate Authorization failure + context.Authentication.Challenge(CookieAuthenticationDefaults.AuthenticationScheme); + } else if (req.Path == new PathString("/protected/CustomRedirect")) { context.Authentication.Challenge(new AuthenticationProperties() { RedirectUri = "/CustomRedirect" });