Skip to content

Commit

Permalink
AntiForgery.TryValidate
Browse files Browse the repository at this point in the history
  • Loading branch information
@maxtoroq
maxtoroq committed Aug 24, 2017
1 parent a4c2b39 commit f655872
Show file tree
Hide file tree
Showing 4 changed files with 83 additions and 5 deletions.
34 changes: 34 additions & 0 deletions src/Xcst.AspNet/Framework/AntiXsrf/AntiForgery.cs
View file
Expand Up @@ -119,5 +119,39 @@ public static class AntiForgery {

_worker.Validate(new HttpContextWrapper(context), cookieToken, formToken);
}

public static bool TryValidate() {

HttpContext context = HttpContext.Current;

if (context == null) throw new ArgumentException(WebPageResources.HttpContextUnavailable);

return TryValidate(new HttpContextWrapper(context));
}

public static bool TryValidate(HttpContextBase context) {

if (context == null) throw new ArgumentNullException(nameof(context));

return _worker.TryValidate(context);
}

[EditorBrowsable(EditorBrowsableState.Advanced)]
public static bool TryValidate(string cookieToken, string formToken) {

HttpContext context = HttpContext.Current;

if (context == null) throw new ArgumentException(WebPageResources.HttpContextUnavailable);

return TryValidate(new HttpContextWrapper(context), cookieToken, formToken);
}

[EditorBrowsable(EditorBrowsableState.Advanced)]
public static bool TryValidate(HttpContextBase context, string cookieToken, string formToken) {

if (context == null) throw new ArgumentNullException(nameof(context));

return _worker.TryValidate(context, cookieToken, formToken);
}
}
}
24 changes: 24 additions & 0 deletions src/Xcst.AspNet/Framework/AntiXsrf/AntiForgeryWorker.cs
View file
Expand Up @@ -171,5 +171,29 @@ sealed class AntiForgeryWorker {
// Validate
_validator.ValidateTokens(httpContext, ExtractIdentity(httpContext), deserializedCookieToken, deserializedFormToken);
}

public bool TryValidate(HttpContextBase httpContext) {

CheckSSLConfig(httpContext);

// Extract cookie & form tokens
AntiForgeryToken cookieToken = _tokenStore.GetCookieToken(httpContext);
AntiForgeryToken formToken = _tokenStore.GetFormToken(httpContext);

// Validate
return _validator.TryValidateTokens(httpContext, ExtractIdentity(httpContext), cookieToken, formToken);
}

public bool TryValidate(HttpContextBase httpContext, string cookieToken, string formToken) {

CheckSSLConfig(httpContext);

// Extract cookie & form tokens
AntiForgeryToken deserializedCookieToken = DeserializeToken(cookieToken);
AntiForgeryToken deserializedFormToken = DeserializeToken(formToken);

// Validate
return _validator.TryValidateTokens(httpContext, ExtractIdentity(httpContext), deserializedCookieToken, deserializedFormToken);
}
}
}
2 changes: 2 additions & 0 deletions src/Xcst.AspNet/Framework/AntiXsrf/ITokenValidator.cs
View file
Expand Up @@ -25,5 +25,7 @@ interface ITokenValidator {
// Validates a (cookie, form) token pair.

void ValidateTokens(HttpContextBase httpContext, IIdentity identity, AntiForgeryToken cookieToken, AntiForgeryToken formToken);

bool TryValidateTokens(HttpContextBase httpContext, IIdentity identity, AntiForgeryToken cookieToken, AntiForgeryToken formToken);
}
}
28 changes: 23 additions & 5 deletions src/Xcst.AspNet/Framework/AntiXsrf/TokenValidator.cs
View file
Expand Up @@ -84,6 +84,22 @@ sealed class TokenValidator : ITokenValidator {

public void ValidateTokens(HttpContextBase httpContext, IIdentity identity, AntiForgeryToken sessionToken, AntiForgeryToken fieldToken) {

Exception ex = ValidateTokensImpl(httpContext, identity, sessionToken, fieldToken);

if (ex != null) {
throw ex;
}
}

public bool TryValidateTokens(HttpContextBase httpContext, IIdentity identity, AntiForgeryToken sessionToken, AntiForgeryToken fieldToken) {

Exception ex = ValidateTokensImpl(httpContext, identity, sessionToken, fieldToken);

return ex != null;
}

Exception ValidateTokensImpl(HttpContextBase httpContext, IIdentity identity, AntiForgeryToken sessionToken, AntiForgeryToken fieldToken) {

// Were the tokens even present at all?

if (sessionToken == null) throw HttpAntiForgeryException.CreateCookieMissingException(_config.CookieName);
Expand All @@ -92,13 +108,13 @@ sealed class TokenValidator : ITokenValidator {
// Do the tokens have the correct format?

if (!sessionToken.IsSessionToken || fieldToken.IsSessionToken) {
throw HttpAntiForgeryException.CreateTokensSwappedException(_config.CookieName, _config.FormFieldName);
return HttpAntiForgeryException.CreateTokensSwappedException(_config.CookieName, _config.FormFieldName);
}

// Are the security tokens embedded in each incoming token identical?

if (!Equals(sessionToken.SecurityToken, fieldToken.SecurityToken)) {
throw HttpAntiForgeryException.CreateSecurityTokenMismatchException();
return HttpAntiForgeryException.CreateSecurityTokenMismatchException();
}

// Is the incoming token meant for the current user?
Expand All @@ -123,17 +139,19 @@ sealed class TokenValidator : ITokenValidator {
|| currentUsername.StartsWith("https://", StringComparison.OrdinalIgnoreCase);

if (!String.Equals(fieldToken.Username, currentUsername, (useCaseSensitiveUsernameComparison) ? StringComparison.Ordinal : StringComparison.OrdinalIgnoreCase)) {
throw HttpAntiForgeryException.CreateUsernameMismatchException(fieldToken.Username, currentUsername);
return HttpAntiForgeryException.CreateUsernameMismatchException(fieldToken.Username, currentUsername);
}

if (!Equals(fieldToken.ClaimUid, currentClaimUid)) {
throw HttpAntiForgeryException.CreateClaimUidMismatchException();
return HttpAntiForgeryException.CreateClaimUidMismatchException();
}

// Is the AdditionalData valid?
if (_config.AdditionalDataProvider != null && !_config.AdditionalDataProvider.ValidateAdditionalData(httpContext, fieldToken.AdditionalData)) {
throw HttpAntiForgeryException.CreateAdditionalDataCheckFailedException();
return HttpAntiForgeryException.CreateAdditionalDataCheckFailedException();
}

return null;
}
}
}

0 comments on commit f655872

Please sign in to comment.