47 lines
1.6 KiB
C#
47 lines
1.6 KiB
C#
using Microsoft.AspNetCore.Authentication;
|
|
using ScadaLink.CentralUI.Auth;
|
|
|
|
namespace ScadaLink.CentralUI.Tests.Auth;
|
|
|
|
/// <summary>
|
|
/// Regression tests for CentralUI-005. <c>AuthEndpoints</c> previously stamped a
|
|
/// fixed <c>expires_at = UtcNow + 30 min</c> claim and a 30-minute absolute cookie
|
|
/// <c>ExpiresUtc</c> with no sliding refresh, contradicting the documented
|
|
/// "sliding refresh, 30-minute idle timeout" policy. The login handler must now
|
|
/// build <see cref="AuthenticationProperties"/> that let the cookie middleware
|
|
/// own expiry (sliding window) rather than imposing a contradictory fixed
|
|
/// absolute cap.
|
|
/// </summary>
|
|
public class SessionExpiryPolicyTests
|
|
{
|
|
[Fact]
|
|
public void BuildSignInProperties_DoesNotSetFixedAbsoluteExpiry()
|
|
{
|
|
var props = AuthEndpoints.BuildSignInProperties();
|
|
|
|
// A fixed ExpiresUtc would re-introduce the hard 30-minute cap that
|
|
// overrides the middleware's sliding window. Expiry must be owned by
|
|
// the cookie middleware (ExpireTimeSpan + SlidingExpiration).
|
|
Assert.Null(props.ExpiresUtc);
|
|
}
|
|
|
|
[Fact]
|
|
public void BuildSignInProperties_IsPersistent()
|
|
{
|
|
var props = AuthEndpoints.BuildSignInProperties();
|
|
|
|
Assert.True(props.IsPersistent);
|
|
}
|
|
|
|
[Fact]
|
|
public void BuildSignInProperties_AllowsSlidingRefresh()
|
|
{
|
|
var props = AuthEndpoints.BuildSignInProperties();
|
|
|
|
// AllowRefresh left null/true lets the cookie middleware slide the
|
|
// expiry on activity. A false value would freeze the session to an
|
|
// absolute cap — the bug this finding pins.
|
|
Assert.NotEqual(false, props.AllowRefresh);
|
|
}
|
|
}
|