fix(central-ui): resolve CentralUI-002/003/004 — site-scope enforcement, per-circuit console capture, cached auth state
This commit is contained in:
Joseph Doherty
@@ -0,0 +1,79 @@
|
||||
using System.Security.Claims;
|
||||
using Microsoft.AspNetCore.Http;
|
||||
using ScadaLink.CentralUI.Auth;
|
||||
|
||||
namespace ScadaLink.CentralUI.Tests.Auth;
|
||||
|
||||
/// <summary>
|
||||
/// Regression tests for CentralUI-004. The provider used to read
|
||||
/// <see cref="IHttpContextAccessor.HttpContext"/> on every call; once the Blazor
|
||||
/// circuit is established that context is gone, so later re-evaluations saw an
|
||||
/// unauthenticated principal. The provider must snapshot the principal once at
|
||||
/// construction (during the initial HTTP request) and serve it for the circuit.
|
||||
/// </summary>
|
||||
public class CookieAuthenticationStateProviderTests
|
||||
{
|
||||
private static ClaimsPrincipal AuthenticatedUser(string name)
|
||||
{
|
||||
var identity = new ClaimsIdentity(
|
||||
new[] { new Claim(ClaimTypes.Name, name) },
|
||||
authenticationType: "TestCookie");
|
||||
return new ClaimsPrincipal(identity);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task GetAuthenticationStateAsync_ReturnsAuthenticatedUser_WhenHttpContextPresent()
|
||||
{
|
||||
var accessor = new HttpContextAccessor
|
||||
{
|
||||
HttpContext = new DefaultHttpContext { User = AuthenticatedUser("alice") }
|
||||
};
|
||||
|
||||
var provider = new CookieAuthenticationStateProvider(accessor);
|
||||
var state = await provider.GetAuthenticationStateAsync();
|
||||
|
||||
Assert.True(state.User.Identity?.IsAuthenticated);
|
||||
Assert.Equal("alice", state.User.Identity?.Name);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task GetAuthenticationStateAsync_StillReturnsUser_AfterHttpContextIsGone()
|
||||
{
|
||||
// The circuit is built during the HTTP request: HttpContext is valid then.
|
||||
var accessor = new HttpContextAccessor
|
||||
{
|
||||
HttpContext = new DefaultHttpContext { User = AuthenticatedUser("bob") }
|
||||
};
|
||||
var provider = new CookieAuthenticationStateProvider(accessor);
|
||||
|
||||
// After the request completes, IHttpContextAccessor.HttpContext is null for
|
||||
// the life of the long-lived SignalR circuit.
|
||||
accessor.HttpContext = null;
|
||||
|
||||
var state = await provider.GetAuthenticationStateAsync();
|
||||
|
||||
// The pre-fix implementation returned an anonymous principal here.
|
||||
Assert.True(state.User.Identity?.IsAuthenticated);
|
||||
Assert.Equal("bob", state.User.Identity?.Name);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task GetAuthenticationStateAsync_IsStableAcrossCalls_IgnoringStaleForeignContext()
|
||||
{
|
||||
var accessor = new HttpContextAccessor
|
||||
{
|
||||
HttpContext = new DefaultHttpContext { User = AuthenticatedUser("carol") }
|
||||
};
|
||||
var provider = new CookieAuthenticationStateProvider(accessor);
|
||||
|
||||
// A stale/foreign context leaking through the AsyncLocal accessor must NOT
|
||||
// change what this circuit's provider reports.
|
||||
accessor.HttpContext = new DefaultHttpContext { User = AuthenticatedUser("intruder") };
|
||||
|
||||
var first = await provider.GetAuthenticationStateAsync();
|
||||
var second = await provider.GetAuthenticationStateAsync();
|
||||
|
||||
Assert.Equal("carol", first.User.Identity?.Name);
|
||||
Assert.Equal("carol", second.User.Identity?.Name);
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user