Optimize remote authenticate query (#729)

LeaFrock · web-flow · commit 8c16de16d9b4 · 2022-10-10T15:20:35.000+01:00
* Optimize the standardization for remote authentication query of Alipay and Wechat.
diff --git a/src/AspNet.Security.OAuth.Alipay/AlipayAuthenticationHandler.cs b/src/AspNet.Security.OAuth.Alipay/AlipayAuthenticationHandler.cs
@@ -15,6 +15,7 @@
 using Microsoft.AspNetCore.WebUtilities;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
+using Microsoft.Extensions.Primitives;
 
 namespace AspNet.Security.OAuth.Alipay;
 
@@ -32,17 +33,13 @@ public AlipayAuthenticationHandler(
     {
     }
 
+    private const string AuthCode = "auth_code";
+
     protected override Task<HandleRequestResult> HandleRemoteAuthenticateAsync()
     {
-        var query = Request.Query;
-        if (query.TryGetValue("auth_code", out var authCode))
+        if (TryStandardizeRemoteAuthenticateQuery(Request.Query, out var queryString))
         {
-            // The base `HandleRemoteAuthenticateAsync` requires that `Request.Query` must contain the key called `code`,
-            // which is actually the same as `auth_code` by Alipay's design, but `Request.Query` does not have `Add` operation.
-            // So here is a trick to get the private `Store` dictionary of `QueryCollection`.
-            var queryStore = query.ToDictionary(c => c.Key, c => c.Value, StringComparer.OrdinalIgnoreCase);
-            queryStore["code"] = authCode;
-            Request.QueryString = QueryString.Create(queryStore);
+            Request.QueryString = queryString;
         }
 
         return base.HandleRemoteAuthenticateAsync();
@@ -236,6 +233,38 @@ protected override string BuildChallengeUrl([NotNull] AuthenticationProperties p
         return QueryHelpers.AddQueryString(Options.AuthorizationEndpoint, parameters);
     }
 
+    private static bool TryStandardizeRemoteAuthenticateQuery(IQueryCollection query, out QueryString queryString)
+    {
+        if (!query.TryGetValue(AuthCode, out var authCode))
+        {
+            queryString = default;
+            return false;
+        }
+
+        // Before: mydomain/signin-alipay?auth_code=xxx&state=xxx&...
+        // After: mydomain/signin-alipay?code=xxx&state=xxx&...
+        var queryParams = new List<KeyValuePair<string, StringValues>>(query.Count)
+        {
+            new("code", authCode)
+        };
+        foreach (var item in query)
+        {
+            switch (item.Key)
+            {
+                case "code":
+                case AuthCode: // No need in fact, skip it
+                    break;
+
+                default:
+                    queryParams.Add(item);
+                    break;
+            }
+        }
+
+        queryString = QueryString.Create(queryParams);
+        return true;
+    }
+
     private static partial class Log
     {
         internal static async Task UserProfileErrorAsync(ILogger logger, HttpResponseMessage response, CancellationToken cancellationToken)
diff --git a/src/AspNet.Security.OAuth.Weixin/WeixinAuthenticationHandler.cs b/src/AspNet.Security.OAuth.Weixin/WeixinAuthenticationHandler.cs
@@ -14,6 +14,7 @@
 using Microsoft.AspNetCore.WebUtilities;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
+using Microsoft.Extensions.Primitives;
 
 namespace AspNet.Security.OAuth.Weixin;
 
@@ -33,17 +34,9 @@ public WeixinAuthenticationHandler(
 
     protected override async Task<HandleRequestResult> HandleRemoteAuthenticateAsync()
     {
-        if (!IsWeixinAuthorizationEndpointInUse())
+        if (!IsWeixinAuthorizationEndpointInUse() && TryStandardizeRemoteAuthenticateQuery(Request.Query, out var queryString))
         {
-            if (Request.Query.TryGetValue(OauthState, out var stateValue))
-            {
-                var query = Request.Query.ToDictionary(c => c.Key, c => c.Value, StringComparer.OrdinalIgnoreCase);
-                if (query.TryGetValue(State, out _))
-                {
-                    query[State] = stateValue;
-                    Request.QueryString = QueryString.Create(query);
-                }
-            }
+            Request.QueryString = queryString;
         }
 
         return await base.HandleRemoteAuthenticateAsync();
@@ -198,6 +191,38 @@ private bool IsWeixinAuthorizationEndpointInUse()
         return string.Equals(Options.AuthorizationEndpoint, WeixinAuthenticationDefaults.AuthorizationEndpoint, StringComparison.OrdinalIgnoreCase);
     }
 
+    private static bool TryStandardizeRemoteAuthenticateQuery(IQueryCollection query, out QueryString queryString)
+    {
+        if (!query.TryGetValue(OauthState, out var actualState))
+        {
+            queryString = default;
+            return false;
+        }
+
+        // Before: mydomain/signin-weixin?code=xxx&state=_oauthstate&_oauthstate=<actual state>&...
+        // After: mydomain/signin-weixin?code=xxx&state=<actual state>&...
+        var queryParams = new List<KeyValuePair<string, StringValues>>(query.Count - 1);
+        foreach (var item in query)
+        {
+            switch (item.Key)
+            {
+                case OauthState: // No need in fact, skip it
+                    break;
+
+                case State:
+                    queryParams.Add(new(State, actualState));
+                    break;
+
+                default:
+                    queryParams.Add(item);
+                    break;
+            }
+        }
+
+        queryString = QueryString.Create(queryParams);
+        return true;
+    }
+
     private static partial class Log
     {
         internal static async Task ExchangeCodeErrorAsync(ILogger logger, HttpResponseMessage response, CancellationToken cancellationToken)
