protect basket by manual manipulation of basket shop cookie (#609)
* protect basket by manual maipulation of basket shop cookie (get and set) * add diagram to explain issue 449
This commit is contained in:
Cédric Michel
GitHub
@@ -1,18 +1,17 @@
|
||||
using System;
|
||||
using System.Collections.Generic;
|
||||
using System.ComponentModel.DataAnnotations;
|
||||
using System.Linq;
|
||||
using System.Threading.Tasks;
|
||||
using BlazorAdmin.Services;
|
||||
using Microsoft.AspNetCore.Authentication;
|
||||
using Microsoft.AspNetCore.Authorization;
|
||||
using Microsoft.AspNetCore.Authentication;
|
||||
using Microsoft.AspNetCore.Http;
|
||||
using Microsoft.AspNetCore.Identity;
|
||||
using Microsoft.AspNetCore.Mvc;
|
||||
using Microsoft.AspNetCore.Mvc.RazorPages;
|
||||
using Microsoft.eShopWeb.ApplicationCore.Interfaces;
|
||||
using Microsoft.eShopWeb.Infrastructure.Identity;
|
||||
using Microsoft.Extensions.Logging;
|
||||
using Microsoft.eShopWeb.ApplicationCore.Interfaces;
|
||||
using System;
|
||||
using System.Collections.Generic;
|
||||
using System.ComponentModel.DataAnnotations;
|
||||
using System.Linq;
|
||||
using System.Threading.Tasks;
|
||||
|
||||
namespace Microsoft.eShopWeb.Web.Areas.Identity.Pages.Account
|
||||
{
|
||||
@@ -113,7 +112,10 @@ namespace Microsoft.eShopWeb.Web.Areas.Identity.Pages.Account
|
||||
if (Request.Cookies.ContainsKey(Constants.BASKET_COOKIENAME))
|
||||
{
|
||||
var anonymousId = Request.Cookies[Constants.BASKET_COOKIENAME];
|
||||
await _basketService.TransferBasketAsync(anonymousId, userName);
|
||||
if (Guid.TryParse(anonymousId, out var _))
|
||||
{
|
||||
await _basketService.TransferBasketAsync(anonymousId, userName);
|
||||
}
|
||||
Response.Cookies.Delete(Constants.BASKET_COOKIENAME);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -76,6 +76,7 @@ namespace Microsoft.eShopWeb.Web.Pages.Basket
|
||||
{
|
||||
GetOrSetBasketCookieAndUserName();
|
||||
BasketModel = await _basketViewModelService.GetOrCreateBasketForUser(_username);
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
@@ -84,6 +85,14 @@ namespace Microsoft.eShopWeb.Web.Pages.Basket
|
||||
if (Request.Cookies.ContainsKey(Constants.BASKET_COOKIENAME))
|
||||
{
|
||||
_username = Request.Cookies[Constants.BASKET_COOKIENAME];
|
||||
|
||||
if (!Request.HttpContext.User.Identity.IsAuthenticated)
|
||||
{
|
||||
if (!Guid.TryParse(_username, out var _))
|
||||
{
|
||||
_username = null;
|
||||
}
|
||||
}
|
||||
}
|
||||
if (_username != null) return;
|
||||
|
||||
|
||||
@@ -4,6 +4,7 @@ using Microsoft.eShopWeb.Infrastructure.Identity;
|
||||
using Microsoft.eShopWeb.Web.Interfaces;
|
||||
using Microsoft.eShopWeb.Web.Pages.Basket;
|
||||
using Microsoft.eShopWeb.Web.ViewModels;
|
||||
using System;
|
||||
using System.Linq;
|
||||
using System.Threading.Tasks;
|
||||
|
||||
@@ -34,16 +35,24 @@ namespace Microsoft.eShopWeb.Web.Pages.Shared.Components.BasketComponent
|
||||
{
|
||||
return await _basketService.GetOrCreateBasketForUser(User.Identity.Name);
|
||||
}
|
||||
string anonymousId = GetBasketIdFromCookie();
|
||||
if (anonymousId == null) return new BasketViewModel();
|
||||
|
||||
string anonymousId = GetAnnonymousIdFromCookie();
|
||||
if (anonymousId == null)
|
||||
return new BasketViewModel();
|
||||
|
||||
return await _basketService.GetOrCreateBasketForUser(anonymousId);
|
||||
}
|
||||
|
||||
private string GetBasketIdFromCookie()
|
||||
private string GetAnnonymousIdFromCookie()
|
||||
{
|
||||
if (Request.Cookies.ContainsKey(Constants.BASKET_COOKIENAME))
|
||||
{
|
||||
return Request.Cookies[Constants.BASKET_COOKIENAME];
|
||||
var id = Request.Cookies[Constants.BASKET_COOKIENAME];
|
||||
|
||||
if (Guid.TryParse(id, out var _))
|
||||
{
|
||||
return id;
|
||||
}
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user