protect basket by manual manipulation of basket shop cookie (#609)

* protect basket by manual maipulation of basket shop cookie (get and set) * add diagram to explain issue 449
2021-11-01 17:28:01 +01:00
parent ed30f3dcc4
commit 47f69eb294
4 changed files with 65 additions and 13 deletions
--- a/src/ApplicationCore/Entities/EshopDiagram.cd
+++ b/src/ApplicationCore/Entities/EshopDiagram.cd
@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="utf-8"?>
+<ClassDiagram MajorVersion="1" MinorVersion="1">
+  <Class Name="Microsoft.eShopWeb.ApplicationCore.Entities.CatalogBrand" BaseTypeListCollapsed="true">
+    <Position X="3" Y="7.5" Width="1.5" />
+    <TypeIdentifier>
+      <HashCode>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAA=</HashCode>
+      <FileName>Entities\CatalogBrand.cs</FileName>
+    </TypeIdentifier>
+    <Lollipop Position="0.377" Collapsed="true" />
+  </Class>
+  <Class Name="Microsoft.eShopWeb.ApplicationCore.Entities.CatalogItem" BaseTypeListCollapsed="true">
+    <Position X="4.75" Y="3.5" Width="1.5" />
+    <TypeIdentifier>
+      <HashCode>AAgAAAAAA4AgAwAAAAAAAAQAAAEAAAAAAAAAAQAACQA=</HashCode>
+      <FileName>Entities\CatalogItem.cs</FileName>
+    </TypeIdentifier>
+    <ShowAsAssociation>
+      <Property Name="CatalogBrand" />
+      <Property Name="CatalogType" />
+    </ShowAsAssociation>
+    <Lollipop Position="0.2" Collapsed="true" />
+  </Class>
+  <Class Name="Microsoft.eShopWeb.ApplicationCore.Entities.CatalogType" BaseTypeListCollapsed="true">
+    <Position X="6.5" Y="7.75" Width="1.5" />
+    <TypeIdentifier>
+      <HashCode>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAA=</HashCode>
+      <FileName>Entities\CatalogType.cs</FileName>
+    </TypeIdentifier>
+    <Lollipop Position="0.2" Collapsed="true" />
+  </Class>
+  <Font Name="Segoe UI" Size="9" />
+</ClassDiagram>
--- a/src/Web/Areas/Identity/Pages/Account/Login.cshtml.cs
+++ b/src/Web/Areas/Identity/Pages/Account/Login.cshtml.cs
@@ -1,18 +1,17 @@
-using System;
-using System.Collections.Generic;
-using System.ComponentModel.DataAnnotations;
-using System.Linq;
-using System.Threading.Tasks;
-using BlazorAdmin.Services;
+using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Authorization;
-using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.RazorPages;
+using Microsoft.eShopWeb.ApplicationCore.Interfaces;
 using Microsoft.eShopWeb.Infrastructure.Identity;
 using Microsoft.Extensions.Logging;
-using Microsoft.eShopWeb.ApplicationCore.Interfaces;
+using System;
+using System.Collections.Generic;
+using System.ComponentModel.DataAnnotations;
+using System.Linq;
+using System.Threading.Tasks;

 namespace Microsoft.eShopWeb.Web.Areas.Identity.Pages.Account
 {
@@ -113,7 +112,10 @@ namespace Microsoft.eShopWeb.Web.Areas.Identity.Pages.Account
            if (Request.Cookies.ContainsKey(Constants.BASKET_COOKIENAME))
            {
                var anonymousId = Request.Cookies[Constants.BASKET_COOKIENAME];
-                await _basketService.TransferBasketAsync(anonymousId, userName);
+                if (Guid.TryParse(anonymousId, out var _))
+                {
+                    await _basketService.TransferBasketAsync(anonymousId, userName);
+                }
                Response.Cookies.Delete(Constants.BASKET_COOKIENAME);
            }
        }
--- a/src/Web/Pages/Basket/Index.cshtml.cs
+++ b/src/Web/Pages/Basket/Index.cshtml.cs
@@ -76,6 +76,7 @@ namespace Microsoft.eShopWeb.Web.Pages.Basket
            {
                GetOrSetBasketCookieAndUserName();
                BasketModel = await _basketViewModelService.GetOrCreateBasketForUser(_username);
+
            }
        }

@@ -84,6 +85,14 @@ namespace Microsoft.eShopWeb.Web.Pages.Basket
            if (Request.Cookies.ContainsKey(Constants.BASKET_COOKIENAME))
            {
                _username = Request.Cookies[Constants.BASKET_COOKIENAME];
+
+                if (!Request.HttpContext.User.Identity.IsAuthenticated)
+                {
+                    if (!Guid.TryParse(_username, out var _))
+                    {
+                        _username = null;
+                    }
+                }
            }
            if (_username != null) return;

--- a/src/Web/Pages/Shared/Components/BasketComponent/Basket.cs
+++ b/src/Web/Pages/Shared/Components/BasketComponent/Basket.cs
@@ -4,6 +4,7 @@ using Microsoft.eShopWeb.Infrastructure.Identity;
 using Microsoft.eShopWeb.Web.Interfaces;
 using Microsoft.eShopWeb.Web.Pages.Basket;
 using Microsoft.eShopWeb.Web.ViewModels;
+using System;
 using System.Linq;
 using System.Threading.Tasks;

@@ -34,16 +35,24 @@ namespace Microsoft.eShopWeb.Web.Pages.Shared.Components.BasketComponent
            {
                return await _basketService.GetOrCreateBasketForUser(User.Identity.Name);
            }
-            string anonymousId = GetBasketIdFromCookie();
-            if (anonymousId == null) return new BasketViewModel();
+
+            string anonymousId = GetAnnonymousIdFromCookie();
+            if (anonymousId == null)
+                return new BasketViewModel();
+
            return await _basketService.GetOrCreateBasketForUser(anonymousId);
        }

-        private string GetBasketIdFromCookie()
+        private string GetAnnonymousIdFromCookie()
        {
            if (Request.Cookies.ContainsKey(Constants.BASKET_COOKIENAME))
            {
-                return Request.Cookies[Constants.BASKET_COOKIENAME];
+                var id = Request.Cookies[Constants.BASKET_COOKIENAME];
+
+                if (Guid.TryParse(id, out var _))
+                {
+                    return id;
+                }
            }
            return null;
        }