Skip to content

Commit c233df2

Browse files
Add test
1 parent 5ea3fe3 commit c233df2

1 file changed

Lines changed: 46 additions & 0 deletions

File tree

src/Service.Tests/Authentication/EasyAuthAuthenticationUnitTests.cs

Lines changed: 46 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,9 +2,11 @@
22
// Licensed under the MIT License.
33

44
#nullable enable
5+
using System;
56
using System.Collections.Generic;
67
using System.Linq;
78
using System.Net;
9+
using System.Net.Http;
810
using System.Security.Claims;
911
using System.Threading.Tasks;
1012
using Azure.DataApiBuilder.Config.ObjectModel;
@@ -344,6 +346,50 @@ await SendRequestAndGetHttpContextState(
344346
ignoreCase: true);
345347
}
346348

349+
/// <summary>
350+
/// Tests we ensure that an invalid query in the EasyAuth header does not result in a successful request.
351+
/// </summary>
352+
[TestMethod]
353+
public async Task TestInvalidQueryInHeader()
354+
{
355+
string header = @"
356+
{
357+
""auth_typ"":""aad"",
358+
""claims"":[
359+
{
360+
""typ"":""x', N'v';
361+
SET IDENTITY_INSERT authors ON;
362+
INSERT INTO authors (id, name, birthdate) VALUES (10001, 'Hidden Author', '2001-01-01');
363+
SET IDENTITY_INSERT authors OFF;
364+
SELECT 1 AS inserted FOR JSON PATH, WITHOUT_ARRAY_WRAPPER;
365+
--"",
366+
""val"":""x""
367+
}
368+
]
369+
}";
370+
371+
string generatedToken = Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(header));
372+
HttpContext postMiddlewareContext =
373+
await SendRequestAndGetHttpContextState(
374+
generatedToken,
375+
EasyAuthType.StaticWebApps,
376+
clientRoleHeader: "authenticated");
377+
Assert.AreEqual(expected: (int)HttpStatusCode.OK, actual: postMiddlewareContext.Response.StatusCode);
378+
379+
using IHost host = await WebHostBuilderHelper.CreateWebHost(EasyAuthType.StaticWebApps.ToString(), false);
380+
TestServer server = host.GetTestServer();
381+
HttpClient client = server.CreateClient();
382+
383+
HttpRequestMessage request = new(HttpMethod.Get, $"api/Author/id/10001");
384+
HttpResponseMessage response = await client.SendAsync(request);
385+
string responseBody = await response.Content.ReadAsStringAsync();
386+
387+
Assert.IsFalse(responseBody.Contains($"\"id\":10001"),
388+
"The GET request should not return the invalid row.");
389+
Assert.IsFalse(responseBody.Contains("Hidden Author"),
390+
"The GET request should not return any information related to the invalid row.");
391+
}
392+
347393
/// <summary>
348394
/// - Ensures an invalid EasyAuth header payload results in HTTP 401 Unauthorized response
349395
/// A correctly configured EasyAuth environment guarantees an EasyAuth payload for authenticated requests.

0 commit comments

Comments
 (0)