fix(central-ui): resolve CentralUI-015..019 — pager windowing, logout CSRF, narrowed catch blocks, coverage; CentralUI-015 re-triaged Won't Fix

2026-05-16 22:04:21 -04:00
parent 404216b4ee
commit d7b275fc9b
18 changed files with 772 additions and 50 deletions
--- a/tests/ScadaLink.CentralUI.Tests/Auth/AuthEndpointsCsrfTests.cs
+++ b/tests/ScadaLink.CentralUI.Tests/Auth/AuthEndpointsCsrfTests.cs
@@ -0,0 +1,76 @@
+using Microsoft.AspNetCore.Antiforgery;
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Routing;
+using Microsoft.Extensions.DependencyInjection;
+using ScadaLink.CentralUI.Auth;
+
+namespace ScadaLink.CentralUI.Tests.Auth;
+
+/// <summary>
+/// Regression tests for CentralUI-017. <c>POST /auth/logout</c> called
+/// <c>.DisableAntiforgery()</c> and a plain <c>GET /logout</c> route also
+/// signed the user out — either could be triggered cross-site to forcibly log
+/// a user out. Logout is a state-changing authenticated action and must be
+/// CSRF-protected: the POST keeps antiforgery enabled and the state-changing
+/// GET route is removed.
+/// </summary>
+public class AuthEndpointsCsrfTests
+{
+    private static IReadOnlyList<RouteEndpoint> BuildEndpoints()
+    {
+        var builder = WebApplication.CreateBuilder();
+        builder.Services.AddRouting();
+        builder.Services.AddAntiforgery();
+        var app = builder.Build();
+        app.MapAuthEndpoints();
+
+        return ((IEndpointRouteBuilder)app).DataSources
+            .SelectMany(ds => ds.Endpoints)
+            .OfType<RouteEndpoint>()
+            .ToList();
+    }
+
+    private static RouteEndpoint? Find(IReadOnlyList<RouteEndpoint> endpoints, string pattern, string method)
+        => endpoints.FirstOrDefault(e =>
+            e.RoutePattern.RawText == pattern &&
+            (e.Metadata.GetMetadata<HttpMethodMetadata>()?.HttpMethods.Contains(method) ?? false));
+
+    [Fact]
+    public void PostAuthLogout_DoesNotDisableAntiforgery()
+    {
+        var endpoints = BuildEndpoints();
+        var logout = Find(endpoints, "/auth/logout", "POST");
+
+        Assert.NotNull(logout);
+        // DisableAntiforgery() leaves an IAntiforgeryMetadata with
+        // RequiresValidation == false. A CSRF-protected POST has either no such
+        // metadata, or metadata that still requires validation.
+        var antiforgery = logout!.Metadata.GetMetadata<IAntiforgeryMetadata>();
+        Assert.True(antiforgery is null || antiforgery.RequiresValidation,
+            "POST /auth/logout must keep antiforgery validation enabled.");
+    }
+
+    [Fact]
+    public void GetLogout_StateChangingRoute_IsRemoved()
+    {
+        var endpoints = BuildEndpoints();
+        var getLogout = Find(endpoints, "/logout", "GET");
+
+        Assert.Null(getLogout);
+    }
+
+    [Fact]
+    public void PostAuthLogin_StillDisablesAntiforgery_PreAuthIsAcceptable()
+    {
+        // Login is a pre-auth endpoint; disabling antiforgery there is acceptable
+        // and intentional. This pins that the fix did not over-correct.
+        var endpoints = BuildEndpoints();
+        var login = Find(endpoints, "/auth/login", "POST");
+
+        Assert.NotNull(login);
+        var antiforgery = login!.Metadata.GetMetadata<IAntiforgeryMetadata>();
+        Assert.NotNull(antiforgery);
+        Assert.False(antiforgery!.RequiresValidation);
+    }
+}