using Microsoft.AspNetCore.Authentication.Cookies; using Microsoft.AspNetCore.Http; using ZB.MOM.WW.Auth.AspNetCore; namespace ZB.MOM.WW.Auth.AspNetCore.Tests; public class ZbCookieDefaultsTests { [Fact] public void Apply_SetsHardenedCookieFlags() { var options = new CookieAuthenticationOptions(); ZbCookieDefaults.Apply(options); Assert.True(options.Cookie.HttpOnly); Assert.Equal(SameSiteMode.Strict, options.Cookie.SameSite); Assert.True(options.SlidingExpiration); } [Fact] public void Apply_UsesSuppliedIdleTimeout() { var options = new CookieAuthenticationOptions(); var idle = TimeSpan.FromMinutes(12); ZbCookieDefaults.Apply(options, idleTimeout: idle); Assert.Equal(idle, options.ExpireTimeSpan); } [Fact] public void Apply_DefaultsToDefaultIdleTimeout_WhenNotSupplied() { var options = new CookieAuthenticationOptions(); ZbCookieDefaults.Apply(options); Assert.Equal(ZbCookieDefaults.DefaultIdleTimeout, options.ExpireTimeSpan); } [Fact] public void Apply_RequireHttpsTrue_SetsSecurePolicyAlways() { var options = new CookieAuthenticationOptions(); ZbCookieDefaults.Apply(options, requireHttps: true); Assert.Equal(CookieSecurePolicy.Always, options.Cookie.SecurePolicy); } [Fact] public void Apply_RequireHttpsFalse_SetsSecurePolicySameAsRequest() { var options = new CookieAuthenticationOptions(); ZbCookieDefaults.Apply(options, requireHttps: false); Assert.Equal(CookieSecurePolicy.SameAsRequest, options.Cookie.SecurePolicy); } [Fact] public void Apply_DefaultsRequireHttpsToAlways() { var options = new CookieAuthenticationOptions(); ZbCookieDefaults.Apply(options); Assert.Equal(CookieSecurePolicy.Always, options.Cookie.SecurePolicy); } [Fact] public void Apply_NullOptions_Throws() { Assert.Throws(() => ZbCookieDefaults.Apply(null!)); } }