diff --git a/src/Web/Controllers/AccountController.cs b/src/Web/Controllers/AccountController.cs index a3d391c..281497b 100644 --- a/src/Web/Controllers/AccountController.cs +++ b/src/Web/Controllers/AccountController.cs @@ -52,7 +52,7 @@ namespace Microsoft.eShopWeb.Web.Controllers // POST: /Account/SignIn [HttpPost] [AllowAnonymous] - //[ValidateAntiForgeryToken] + [ValidateAntiForgeryToken] public async Task SignIn(LoginViewModel model, string returnUrl = null) { if (!ModelState.IsValid) diff --git a/tests/FunctionalTests/Web/Controllers/AccountControllerSignIn.cs b/tests/FunctionalTests/Web/Controllers/AccountControllerSignIn.cs index 474a6b8..28697c4 100644 --- a/tests/FunctionalTests/Web/Controllers/AccountControllerSignIn.cs +++ b/tests/FunctionalTests/Web/Controllers/AccountControllerSignIn.cs @@ -2,8 +2,10 @@ using Microsoft.eShopWeb.Web; using System; using System.Collections.Generic; +using System.Linq; using System.Net; using System.Net.Http; +using System.Text.RegularExpressions; using System.Threading.Tasks; using Xunit; @@ -31,30 +33,57 @@ namespace Microsoft.eShopWeb.FunctionalTests.Web.Controllers Assert.Contains("demouser@microsoft.com", stringResponse); } - // TODO: Finish this test. + [Fact] + public async Task RegexMatchesValidRequestVerificationToken() + { + // TODO: Move to a unit test + // TODO: Move regex to a constant in test project + var input = @""; + string regexpression = @"name=""__RequestVerificationToken"" type=""hidden"" value=""([-A-Za-z0-9+=/\\_]+?)"""; + var regex = new Regex(regexpression); + var match = regex.Match(input); + var group = match.Groups.LastOrDefault(); + Assert.NotNull(group); + Assert.True(group.Value.Length > 50); + } + + [Fact] + public async Task ReturnsFormWithRequestVerificationToken() + { + var response = await Client.GetAsync("/account/sign-in"); + response.EnsureSuccessStatusCode(); + var stringResponse = await response.Content.ReadAsStringAsync(); + + string token = GetRequestVerificationToken(stringResponse); + Assert.True(token.Length > 50); + } + + private string GetRequestVerificationToken(string input) + { + string regexpression = @"name=""__RequestVerificationToken"" type=""hidden"" value=""([-A-Za-z0-9+=/\\_]+?)"""; + var regex = new Regex(regexpression); + var match = regex.Match(input); + return match.Groups.LastOrDefault().Value; + } + [Fact] public async Task ReturnsSuccessfulSignInOnPostWithValidCredentials() { - //var response = await Client.GetAsync("/account/sign-in"); - //response.EnsureSuccessStatusCode(); - //var stringResponse = await response.Content.ReadAsStringAsync(); - // TODO: Get the token from a Get call - // Ref: https://buildmeasurelearn.wordpress.com/2016/11/23/handling-asp-net-mvcs-anti-forgery-tokens-when-load-testing-with-jmeter/ - + var getResponse = await Client.GetAsync("/account/sign-in"); + getResponse.EnsureSuccessStatusCode(); + var stringResponse1 = await getResponse.Content.ReadAsStringAsync(); + string token = GetRequestVerificationToken(stringResponse1); var keyValues = new List>(); keyValues.Add(new KeyValuePair("Email", "demouser@microsoft.com")); keyValues.Add(new KeyValuePair("Password", "Pass@word1")); - keyValues.Add(new KeyValuePair("__RequestVerificationToken", "CfDJ8Obhlq65OzlDkoBvsSX0tgyXhgITd4pD1OocDNYfbIeOkBMVLl3SmcZjyHLFqAlfvNOcWnV73G520010NOL1VaHRODGXZxTNjkIOjOi36YW3Fs5Bb9K9baf0hLFrmFI4P1w-64FURukDzaWRGl0Tzw0")); + keyValues.Add(new KeyValuePair("__RequestVerificationToken", token)); var formContent = new FormUrlEncodedContent(keyValues); - var response = await Client.PostAsync("/account/sign-in", formContent); - //response.EnsureSuccessStatusCode(); - var stringResponse = await response.Content.ReadAsStringAsync(); - - Assert.Equal(HttpStatusCode.Redirect, response.StatusCode); - Assert.Equal(new System.Uri("/", UriKind.Relative), response.Headers.Location); + var postResponse = await Client.PostAsync("/account/sign-in", formContent); + Assert.Equal(HttpStatusCode.Redirect, postResponse.StatusCode); + Assert.Equal(new System.Uri("/", UriKind.Relative), postResponse.Headers.Location); } } }