validator will also look at the headers for the key too. Closes FubuM…

…vcArchiveGH-5
KevM · Feb 18, 2014 · 8dc1b53 · 8dc1b53
1 parent 0b78275
commit 8dc1b53
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 10 deletions.
diff --git a/src/FubuMVC.AntiForgery.Testing/AntiForgeryValidatorTester.cs b/src/FubuMVC.AntiForgery.Testing/AntiForgeryValidatorTester.cs
@@ -19,6 +19,7 @@ public class AntiForgeryValidatorTester : InteractionContext<AntiForgeryValidato
         private AntiForgeryData _formToken;
         private ICookies _cookies;
         private IValueSource _valueSource;
+        private IValueSource _headerSource;
 
         protected override void beforeEach()
         {
@@ -29,7 +30,10 @@ protected override void beforeEach()
             MockFor<IRequestData>().Stub(x => x.Value("ApplicationPath")).Return("Path");
 
             _valueSource = MockFor<IValueSource>();
+            _headerSource = MockFor<IValueSource>();
+
             MockFor<IRequestData>().Stub(x => x.ValuesFor(RequestDataSource.Request)).Return(_valueSource);
+            MockFor<IRequestData>().Stub(x => x.ValuesFor(RequestDataSource.Header)).Return(_headerSource);
 
             _cookies = MockFor<ICookies>();
 
@@ -119,5 +123,16 @@ public void should_validate_with_correct_request_data()
             _valueSource.Stub(x => x.Get("FormName")).Return("FormValue");
             ClassUnderTest.Validate("Salty").ShouldBeTrue();
         }
+
+        [Test]
+        public void should_validate_with_correct_request_data_from_header()
+        {
+            Thread.CurrentPrincipal = new GenericPrincipal(new GenericIdentity("User"), null);
+            MockFor<IIdentity>().Stub(x => x.IsAuthenticated).Return(true);
+            MockFor<IIdentity>().Stub(x => x.Name).Return("User");
+            _cookies.Stub(x => x.Get("CookieName")).Return(new Cookie("CookieName", "CookieValue"));
+            _headerSource.Stub(x => x.Get("FormName")).Return("FormValue");
+            ClassUnderTest.Validate("Salty").ShouldBeTrue();
+        }
     }
 }
diff --git a/src/FubuMVC.AntiForgery/AntiForgeryValidator.cs b/src/FubuMVC.AntiForgery/AntiForgeryValidator.cs
@@ -1,6 +1,7 @@
 using System;
 using System.Threading;
 using System.Web;
+using FubuCore;
 using FubuCore.Binding;
 using FubuMVC.Core.Http;
 using FubuMVC.Core.Http.Cookies;
@@ -17,8 +18,8 @@ public class AntiForgeryValidator : IAntiForgeryValidator
         private readonly IAntiForgeryTokenProvider _tokenProvider;
 
         public AntiForgeryValidator(IAntiForgeryTokenProvider tokenProvider, IAntiForgerySerializer serializer,
-                                    ICookies cookies, IFubuApplicationFiles fubuApplicationFiles,
-                                    IRequestData requestData)
+            ICookies cookies, IFubuApplicationFiles fubuApplicationFiles,
+            IRequestData requestData)
         {
             _tokenProvider = tokenProvider;
             _serializer = serializer;
@@ -30,29 +31,35 @@ public AntiForgeryValidator(IAntiForgeryTokenProvider tokenProvider, IAntiForger
         public bool Validate(string salt)
         {
             var applicationPath = _fubuApplicationFiles.GetApplicationPath();
-            string fieldName = _tokenProvider.GetTokenName();
-            string cookieName = _tokenProvider.GetTokenName(applicationPath);
+            var fieldName = _tokenProvider.GetTokenName();
+            var cookieName = _tokenProvider.GetTokenName(applicationPath);
 
-            Cookie cookie = _cookies.Get(cookieName);
+            var cookie = _cookies.Get(cookieName);
             if (cookie == null || string.IsNullOrEmpty(cookie.Value))
             {
                 return false;
             }
-            AntiForgeryData cookieToken = _serializer.Deserialize(HttpUtility.UrlDecode(cookie.Value));
 
-            var formValue = _requestData.ValuesFor(RequestDataSource.Request).Get(fieldName) as string;
-            if (string.IsNullOrEmpty(formValue))
+            var cookieToken = _serializer.Deserialize(HttpUtility.UrlDecode(cookie.Value));
+
+            var formValue = _requestData.ValuesFor(RequestDataSource.Header).Get(fieldName) as string
+                            ??
+                            _requestData.ValuesFor(RequestDataSource.Request).Get(fieldName) as string;
+
+            if (formValue.IsEmpty())
             {
                 return false;
             }
-            AntiForgeryData formToken = _serializer.Deserialize(formValue);
+
+            var formToken = _serializer.Deserialize(formValue);
 
             if (!string.Equals(cookieToken.Value, formToken.Value, StringComparison.Ordinal))
             {
                 return false;
             }
 
-            string currentUsername = AntiForgeryData.GetUsername(Thread.CurrentPrincipal);
+            var currentUsername = AntiForgeryData.GetUsername(Thread.CurrentPrincipal);
+
             if (!string.Equals(formToken.Username, currentUsername, StringComparison.OrdinalIgnoreCase))
             {
                 return false;