configure what host is allowed through

calebjenkins · calebjenkins · May 3, 2022 · Apr 27, 2022 · Apr 29, 2022 · Apr 29, 2022
commit ac5d34e6a93d59889556e338aa97c02f4f0dafa8
diff --git a/README.md b/README.md
@@ -67,7 +67,7 @@ client.SetFakeAuthClaims(
 );
 ```
 
-You can also re-use any profiles that impliment `IFakeAuthProfile` directly on your `HttpClient`:
+You can also re-use any profiles that implement `IFakeAuthProfile` directly on your `HttpClient`:
 ```csharp
  client.SetFakeAuthClaims<DefaultProfile>();
 ```
@@ -90,8 +90,8 @@ In .NET 6 you are no longer required to use a StartUp class. You can still use F
 - For Demo based applications that you want people to download and run - without needing to set up a production identity service first, or without sharing your application id/client secret information. 
 
 ### Not for - FakeAuth can not be used in production
-- Do not use FakeAuth in a production enviroment
-- FakeAuth will only work on http://localhost/ - it's intended to be a development tool.
+- Do not use FakeAuth in a production environment
+- FakeAuth will only work on http://localhost/ by default - it's intended to be a development tool.
 - You will want to transition to an actual OAuth / Claims provider before you go to Production. Starting with Fake Auth can help you establish and document which claims your application will rely on. 
 
 ## Contributing to FakeAuth

diff --git a/Tests/FakeAuth.IntegrationTests/Manager_AccessTests.cs b/Tests/FakeAuth.IntegrationTests/Manager_AccessTests.cs
@@ -5,11 +5,11 @@
 using System.Net;
 using System.Net.Http;
 using System.Security.Claims;
-using FakeAuth.Testing;
-
+using FakeAuth.Testing;
+
 namespace FakeAuth.IntegrationTests
-{
-	// Added Collection Attribute so that our tests aren't run in parallel
+{
+	// Added Collection Attribute so that our tests aren't run in parallel
 	[Collection("Integration Tests")]
 	public class Manager_AccessTests :IDisposable
 	{
@@ -52,6 +52,21 @@ public async Task Should_Also_Be_Able_To_Access_Manager_Endpoint()
 			content.Should().NotBeNullOrEmpty();
 		}
 
+		[Fact]
+		public async Task Should_Be_Able_To_Access_Manager_Endpoint_Byhand_claims()
+		{
+			_client.DefaultRequestHeaders.Remove(FakeAuthDefaults.ClaimsHeaderName);
+			_client.DefaultRequestHeaders.Add(FakeAuthDefaults.ClaimsHeaderName, $"{ClaimTypes.Name},Joe Manager");
+			_client.DefaultRequestHeaders.Add(FakeAuthDefaults.ClaimsHeaderName, $"{ClaimTypes.Role},Manager");
+			// Act
+			var response = await _client.GetAsync("/api/protected");
+
+			// Assert
+			response.StatusCode.Should().Be(HttpStatusCode.OK);
+			var content = await response.Content.ReadAsStringAsync();
+			content.Should().NotBeNullOrEmpty();
+		}
+
 		public void Dispose()
 		{
 			_client?.Dispose();

diff --git a/Tests/FakeAuth.IntegrationTests/Manager_AccessTests_with_Profiles.cs b/Tests/FakeAuth.IntegrationTests/Manager_AccessTests_with_Profiles.cs
@@ -1,10 +1,10 @@
 using FakeAuth.Testing;
-using FluentAssertions;
-using System;
-using System.Net;
-using System.Net.Http;
-using System.Threading.Tasks;
-using Xunit;
+using FluentAssertions;
+using System;
+using System.Net;
+using System.Net.Http;
+using System.Threading.Tasks;
+using Xunit;
 
 namespace FakeAuth.IntegrationTests;
 
@@ -20,7 +20,7 @@ public Manager_AccessTests_with_Profiles()
 		_appUnderTest = new TestWebApplication();
 		_client = _appUnderTest.CreateClient();
 
-		_client.SetFakeAuthClaimns<ManagerJoeProfile>();
+		_client.SetFakeAuthClaims<ManagerJoeProfile>();
 	}
 
 
@@ -53,4 +53,4 @@ public void Dispose()
 		_client?.Dispose();
 		_appUnderTest?.Dispose();
 	}
-}
+}
diff --git a/Tests/FakeAuth.IntegrationTests/NonLocalhostRejectionTests.cs b/Tests/FakeAuth.IntegrationTests/NonLocalhostRejectionTests.cs
@@ -0,0 +1,39 @@
+using System.Net;
+using System.Threading.Tasks;
+using FluentAssertions;
+using Xunit;
+
+namespace FakeAuth.IntegrationTests;
+
+[Collection("Integration Tests")]
+public sealed class NonLocalhostTests
+{
+	[Fact]
+	public async Task ThrowsOnNonLocalhost()
+	{
+		using var app = new TestWebApplication
+		{
+			Host = "example.com",
+		};
+		using var client = app.CreateClient();
+
+		var result = await client.GetAsync("/api/open");
+
+		result.StatusCode.Should().Be(HttpStatusCode.Unauthorized);
+	}
+
+	[Fact]
+	public async Task AllowsNonLocalhostWhenConfigured()
+	{
+		using var app = new TestWebApplication
+		{
+			Host = "example.com",
+			AllowedHost = "example.com",
+		};
+		using var client = app.CreateClient();
+
+		var result = await client.GetAsync("/api/open");
+
+		result.StatusCode.Should().Be(HttpStatusCode.OK);
+	}
+}
diff --git a/Tests/FakeAuth.IntegrationTests/Non_Manager_AccessTests_with_Profile.cs b/Tests/FakeAuth.IntegrationTests/Non_Manager_AccessTests_with_Profile.cs
@@ -5,9 +5,9 @@
 using System.Threading.Tasks;
 using System.Net;
 using System.Security.Claims;
-using System.Net.Http;
-using FakeAuth.Testing;
-
+using System.Net.Http;
+using FakeAuth.Testing;
+
 namespace FakeAuth.IntegrationTests
 {
 	[Collection("Integration Tests")]
@@ -21,13 +21,13 @@ public Non_Manager_AccessTests_with_Profile()
 			_appUnderTest = new TestWebApplication();
 			_client = _appUnderTest.CreateClient();
 
-			_client.SetFakeAuthClaimns<NonManagerJoeProfile>();
+			_client.SetFakeAuthClaims<NonManagerJoeProfile>();
 		}
-		
-		public void Dispose()
-		{
-			_client?.Dispose();
-			_appUnderTest?.Dispose();
+
+		public void Dispose()
+		{
+			_client?.Dispose();
+			_appUnderTest?.Dispose();
 		}
 
 		[Fact]

diff --git a/Tests/FakeAuth.IntegrationTests/TestWebApplication.cs b/Tests/FakeAuth.IntegrationTests/TestWebApplication.cs
@@ -1,11 +1,30 @@
-using System.Collections.Generic;
-using System.Security.Claims;
+using intigrationtests.SampleWeb;
+using Microsoft.AspNetCore.Hosting;
 using Microsoft.AspNetCore.Mvc.Testing;
-using Microsoft.Extensions.Hosting;
+using Microsoft.Extensions.DependencyInjection;
 
 namespace FakeAuth.IntegrationTests
 {
 	public class TestWebApplication : WebApplicationFactory<Program>
 	{
+		public string? Host { get; set; }
+		public string? AllowedHost { get; set; }
+
+		protected override void ConfigureWebHost(IWebHostBuilder builder)
+		{
+			base.ConfigureWebHost(builder);
+
+			builder.ConfigureServices(services =>
+			{
+				services.Configure<HostRewriteSettings>(s =>
+				{
+					s.Host = Host;
+				});
+				services.Configure<FakeAuthOptions>(FakeAuthDefaults.SchemaName, opts =>
+				{
+					opts.AllowedHost = AllowedHost ?? FakeAuthOptions.DefaultAllowedHost;
+				});
+			});
+		}
 	}
 }
diff --git a/Tests/intigrationtests.SampleWeb/HostRewriteSettings.cs b/Tests/intigrationtests.SampleWeb/HostRewriteSettings.cs
@@ -0,0 +1,6 @@
+namespace intigrationtests.SampleWeb;
+
+public sealed class HostRewriteSettings
+{
+	public string Host { get; set; }
+}
diff --git a/Tests/intigrationtests.SampleWeb/Program.cs b/Tests/intigrationtests.SampleWeb/Program.cs
@@ -1,15 +1,14 @@
-using Microsoft.AspNetCore.Authentication;
-using Microsoft.AspNetCore.Authentication.OpenIdConnect;
-using Microsoft.AspNetCore.Authorization;
-using Microsoft.AspNetCore.Mvc.Authorization;
-using Microsoft.Identity.Web;
 using Microsoft.Identity.Web.UI;
 using FakeAuth;
+using intigrationtests.SampleWeb;
+using Microsoft.AspNetCore.Builder;
+using Microsoft.Extensions.Options;
+
+var builder = WebApplication.CreateBuilder(args);
 
-var builder = WebApplication.CreateBuilder(args);
-
 builder.Services.AddAuthentication()
 	.AddFakeAuth();
+builder.Services.Configure<HostRewriteSettings>(_ => { });
 
 builder.Services.AddAuthorization(options =>
 {
@@ -20,9 +19,6 @@
 	 .AddMicrosoftIdentityUI();
 builder.Services.AddSingleton<IHttpContextAccessor, HttpContextAccessor>();
 
-//For(typeof(ILogger<>)).Use(typeof(Logger<>));
-
-
 var app = builder.Build();
 
 // Configure the HTTP request pipeline.
@@ -38,6 +34,17 @@
 
 app.UseRouting();
 
+app.Use((ctx, next) =>
+{
+	var settings = app.Services.GetRequiredService<IOptions<HostRewriteSettings>>();
+
+	if (!string.IsNullOrEmpty(settings.Value.Host))
+	{
+		ctx.Request.Host = new HostString(settings.Value.Host);
+	}
+	return next();
+});
+
 app.UseAuthentication();
 app.UseAuthorization();
 

diff --git a/src/FakeAuth/FakeAuthHandler.cs b/src/FakeAuth/FakeAuthHandler.cs
@@ -29,23 +29,23 @@ ISystemClock clock
 		protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
 #pragma warning restore CS1998 // Async method lacks 'await' operators and will run synchronously
 		{
-			if (!CurrentUri.ToUpper().Contains("://LOCALHOST"))
+			var host = Context.Request.Host.Host;
+			if (host.ToUpper() != Options.AllowedHost.ToUpper())
 			{
-				_logger.LogError("Library only intended for localhost developement");
-				return AuthenticateResult.Fail("FakeAuth can only be used for localhost developement. Please impliment another OAuth solution for other scenarios");
+				_logger.LogError("Failing authentication due to unexpected host {Host} when allowed host is {AllowedHost}", host, Options.AllowedHost);
+				return AuthenticateResult.Fail($"FakeAuth fails all requests that do not match {Options.AllowedHost}; got host {host}.");
 			}
 
 			var claims = Options.Claims;
 			if (Request.Headers.ContainsKey(FakeAuthDefaults.ClaimsHeaderName))
 			{
-				var headerVal = Request.Headers[FakeAuthDefaults.ClaimsHeaderName][0];
-				using var stream = new MemoryStream(Convert.FromBase64String(headerVal));
-				using var reader = new BinaryReader(stream);
+				var claimValues = Request.Headers[FakeAuthDefaults.ClaimsHeaderName];
 
 				claims = new List<Claim>();
-				while (stream.Position < stream.Length)
+				foreach(var c in claimValues)
 				{
-					claims.Add(new Claim(reader));
+					var parts = c.Split(",");
+					claims.Add(new Claim(parts[0], parts[1]));
 				}
 			}
 

diff --git a/src/FakeAuth/FakeAuthOptions.cs b/src/FakeAuth/FakeAuthOptions.cs
@@ -6,11 +6,14 @@ namespace FakeAuth
 {
 	public class FakeAuthOptions : AuthenticationSchemeOptions
 	{
+		public const string DefaultAllowedHost = "localhost";
 		public FakeAuthOptions()
 		{
 			Claims = new List<Claim>();
 		}
 
 		public List<Claim> Claims { get; set; }
+
+		public string AllowedHost { get; set; } = DefaultAllowedHost;
 	}
-}
+}
diff --git a/src/FakeAuth/Testing/HttpClientExtensions.cs b/src/FakeAuth/Testing/HttpClientExtensions.cs
@@ -1,36 +1,30 @@
 using FakeAuth.Profiles;
 using System;
+using System.Dynamic;
 using System.IO;
-using System.Linq;
+using System.Linq;
 using System.Net.Http;
 using System.Security.Claims;
 
-namespace FakeAuth.Testing
-{
+namespace FakeAuth.Testing
+{
 	public static class HttpClientExtensions
 	{
-		public static void SetFakeAuthClaimns<TProfile>(this HttpClient client) where TProfile : IFakeAuthProfile, new()
-		{
-			TProfile profile = new TProfile();
-			var claims = profile.GetClaims().ToArray();
-			client.SetFakeAuthClaims(claims);
+		public static void SetFakeAuthClaims<TProfile>(this HttpClient client) where TProfile : IFakeAuthProfile, new()
+		{
+			TProfile profile = new TProfile();
+			var claims = profile.GetClaims().ToArray();
+			client.SetFakeAuthClaims(claims);
 		}
 
 		public static void SetFakeAuthClaims(this HttpClient client, params Claim[] claims)
 		{
 			client.DefaultRequestHeaders.Remove(FakeAuthDefaults.ClaimsHeaderName);
 
-			using var stream = new MemoryStream();
-			using var writer = new BinaryWriter(stream);
-
 			foreach (var c in claims)
 			{
-				c.WriteTo(writer);
+				client.DefaultRequestHeaders.Add(FakeAuthDefaults.ClaimsHeaderName, $"{c.Type},{c.Value}");
 			}
-
-			var headerValue = Convert.ToBase64String(stream.ToArray());
-
-			client.DefaultRequestHeaders.Add(FakeAuthDefaults.ClaimsHeaderName, headerValue);
 		}
 	}
 }