protect basket by manual manipulation of basket shop cookie (#609)

* protect basket by manual maipulation of  basket shop cookie (get and set)

* add diagram to explain issue 449

src/ApplicationCore/Entities/EshopDiagram.cd

@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="utf-8"?>
+<ClassDiagram MajorVersion="1" MinorVersion="1">
+  <Class Name="Microsoft.eShopWeb.ApplicationCore.Entities.CatalogBrand" BaseTypeListCollapsed="true">
+    <Position X="3" Y="7.5" Width="1.5" />
+    <TypeIdentifier>
+      <HashCode>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAA=</HashCode>
+      <FileName>Entities\CatalogBrand.cs</FileName>
+    </TypeIdentifier>
+    <Lollipop Position="0.377" Collapsed="true" />
+  </Class>
+  <Class Name="Microsoft.eShopWeb.ApplicationCore.Entities.CatalogItem" BaseTypeListCollapsed="true">
+    <Position X="4.75" Y="3.5" Width="1.5" />
+    <TypeIdentifier>
+      <HashCode>AAgAAAAAA4AgAwAAAAAAAAQAAAEAAAAAAAAAAQAACQA=</HashCode>
+      <FileName>Entities\CatalogItem.cs</FileName>
+    </TypeIdentifier>
+    <ShowAsAssociation>
+      <Property Name="CatalogBrand" />
+      <Property Name="CatalogType" />
+    </ShowAsAssociation>
+    <Lollipop Position="0.2" Collapsed="true" />
+  </Class>
+  <Class Name="Microsoft.eShopWeb.ApplicationCore.Entities.CatalogType" BaseTypeListCollapsed="true">
+    <Position X="6.5" Y="7.75" Width="1.5" />
+    <TypeIdentifier>
+      <HashCode>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAA=</HashCode>
+      <FileName>Entities\CatalogType.cs</FileName>
+    </TypeIdentifier>
+    <Lollipop Position="0.2" Collapsed="true" />
+  </Class>
+  <Font Name="Segoe UI" Size="9" />
+</ClassDiagram>

src/Web/Areas/Identity/Pages/Account/Login.cshtml.cs

@@ -1,18 +1,17 @@
-using System;
+using Microsoft.AspNetCore.Authentication;
-using System.Collections.Generic;
-using System.ComponentModel.DataAnnotations;
-using System.Linq;
-using System.Threading.Tasks;
-using BlazorAdmin.Services;
 using Microsoft.AspNetCore.Authorization;
-using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Mvc.RazorPages;
+using Microsoft.eShopWeb.ApplicationCore.Interfaces;
 using Microsoft.eShopWeb.Infrastructure.Identity;
 using Microsoft.Extensions.Logging;
-using Microsoft.eShopWeb.ApplicationCore.Interfaces;
+using System;
+using System.Collections.Generic;
+using System.ComponentModel.DataAnnotations;
+using System.Linq;
+using System.Threading.Tasks;
 
 namespace Microsoft.eShopWeb.Web.Areas.Identity.Pages.Account
 {
@@ -113,7 +112,10 @@ namespace Microsoft.eShopWeb.Web.Areas.Identity.Pages.Account
             if (Request.Cookies.ContainsKey(Constants.BASKET_COOKIENAME))
             {
                 var anonymousId = Request.Cookies[Constants.BASKET_COOKIENAME];
-                await _basketService.TransferBasketAsync(anonymousId, userName);
+                if (Guid.TryParse(anonymousId, out var _))
+                {
+                    await _basketService.TransferBasketAsync(anonymousId, userName);
+                }
                 Response.Cookies.Delete(Constants.BASKET_COOKIENAME);
             }
         }

src/Web/Pages/Basket/Index.cshtml.cs

@@ -76,6 +76,7 @@ namespace Microsoft.eShopWeb.Web.Pages.Basket
             {
                 GetOrSetBasketCookieAndUserName();
                 BasketModel = await _basketViewModelService.GetOrCreateBasketForUser(_username);
+
             }
         }
 
@@ -84,6 +85,14 @@ namespace Microsoft.eShopWeb.Web.Pages.Basket
             if (Request.Cookies.ContainsKey(Constants.BASKET_COOKIENAME))
             {
                 _username = Request.Cookies[Constants.BASKET_COOKIENAME];
+
+                if (!Request.HttpContext.User.Identity.IsAuthenticated)
+                {
+                    if (!Guid.TryParse(_username, out var _))
+                    {
+                        _username = null;
+                    }
+                }
             }
             if (_username != null) return;
 

src/Web/Pages/Shared/Components/BasketComponent/Basket.cs

@@ -4,6 +4,7 @@ using Microsoft.eShopWeb.Infrastructure.Identity;
 using Microsoft.eShopWeb.Web.Interfaces;
 using Microsoft.eShopWeb.Web.Pages.Basket;
 using Microsoft.eShopWeb.Web.ViewModels;
+using System;
 using System.Linq;
 using System.Threading.Tasks;
 
@@ -34,16 +35,24 @@ namespace Microsoft.eShopWeb.Web.Pages.Shared.Components.BasketComponent
             {
                 return await _basketService.GetOrCreateBasketForUser(User.Identity.Name);
             }
-            string anonymousId = GetBasketIdFromCookie();
+
-            if (anonymousId == null) return new BasketViewModel();
+            string anonymousId = GetAnnonymousIdFromCookie();
+            if (anonymousId == null)
+                return new BasketViewModel();
+
             return await _basketService.GetOrCreateBasketForUser(anonymousId);
         }
 
-        private string GetBasketIdFromCookie()
+        private string GetAnnonymousIdFromCookie()
         {
             if (Request.Cookies.ContainsKey(Constants.BASKET_COOKIENAME))
             {
-                return Request.Cookies[Constants.BASKET_COOKIENAME];
+                var id = Request.Cookies[Constants.BASKET_COOKIENAME];
+
+                if (Guid.TryParse(id, out var _))
+                {
+                    return id;
+                }
             }
             return null;
         }